How to Set Up Wazuh for Self-Hosted SIEM and Threat Detection
Splunk Enterprise starts at around $2,000 per GB ingested per year. For an SMB pushing 50 GB of logs a day, that math gets ugly fast. So when somebody asks me what to deploy when they need a real SIEM but don't have a Fortune 500 budget, I say the same thing every time: Wazuh.
Look, I'm going to be real with you. SIEM tools have a reputation for being expensive, miserable to configure, and overkill for teams smaller than a bank. Wazuh breaks all three. It's open source, it runs on a single VM if you want, and the default rule set catches more real attacks than most paid agents do out of the box.
Here's how to actually stand one up.
What Wazuh actually does
Wazuh is three things bolted into one platform:
| Capability | What it catches |
|---|---|
| HIDS (host intrusion detection) | SSH brute force, suspicious sudo, rootkits, unexpected processes |
| FIM (file integrity monitoring) | Modified binaries, tampered configs, dropped webshells |
| Vulnerability scanning | Unpatched packages, CVEs on installed software |
| Compliance reporting | PCI DSS, HIPAA, GDPR, NIST 800-53 control mappings |
That last row matters more than most teams realize. If your auditor asks for evidence of file integrity monitoring across production servers, Wazuh hands them a ready-made report instead of you cobbling one together from auditd logs.
Architecture in 30 seconds
Wazuh has four moving parts:
- Wazuh Manager: the brain. Receives events from agents, applies rules, generates alerts.
- Wazuh Indexer: an OpenSearch fork that stores everything searchable.
- Wazuh Dashboard: the OpenSearch Dashboards UI rebranded for security workflows.
- Wazuh Agents: lightweight daemons (under 30 MB RAM) installed on every host you want to monitor.
For SMB-sized deployments (under 50 servers), all three server components run happily on a single VM. Above 100 servers you'll want to split the indexer onto its own machine.
Deploy on Elestio in one click
Skip the bare-metal install dance. Spin up Wazuh on Elestio and you get the Manager, Indexer, and Dashboard pre-wired with TLS, automatic backups, and a managed update pipeline. Pick the 4 vCPU / 8 GB tier for anything beyond a homelab; Wazuh's indexer is RAM-hungry.
Five minutes after the VM lands, you'll have the dashboard at https://your-instance.vm.elestio.app. Default login is admin plus the password Elestio drops in your service details. Change it before you do anything else.
Install your first agent
On any Linux server you want to monitor, run:
curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0-1_amd64.deb
WAZUH_MANAGER="your-instance.vm.elestio.app" dpkg -i wazuh-agent_4.7.0-1_amd64.deb
systemctl enable --now wazuh-agent
Pop back to the dashboard. Under Agents, you'll see the new host appear within 30 seconds and start streaming events. That's it. You now have host intrusion detection running.
Three things to configure on day one
Default Wazuh is useful, but spend ten minutes on these and it becomes dangerous-to-attackers good:
1. Turn on file integrity monitoring for the right paths. In the Manager config (/var/ossec/etc/ossec.conf), add <directories check_all="yes" realtime="yes">/etc,/usr/bin,/var/www</directories>. Now any change to those paths fires an alert in real time. Webshell dropped into /var/www? You get pinged in seconds.
2. Hook alerts into something you actually check. Wazuh ships with integrations for Slack, PagerDuty, Microsoft Teams, and generic webhooks. Configure one. An alert sitting in a dashboard nobody opens is a tree falling in an empty forest.
3. Enable vulnerability scanning. In ossec.conf set <vulnerability-detector><enabled>yes</enabled></vulnerability-detector>. Wazuh pulls CVE feeds from NVD, Red Hat, Canonical, and others, then maps them against the package inventory each agent reports. You wake up to a list of patches that actually matter on your specific hosts.
Real cost on Elestio
| Setup | Recommended VM | Approx monthly cost |
|---|---|---|
| 10 to 25 agents | 4 vCPU / 8 GB | From ~$60 |
| 25 to 100 agents | 8 vCPU / 16 GB | From ~$120 |
| 100+ agents | Split indexer onto its own VM | From ~$250 |
Compare that to Splunk Enterprise at ~$2,000/GB/year for the same ingest volume and the math sells itself. You're trading a license bill for a managed infrastructure cost.
Common gotchas
A few traps I've watched teams fall into:
- Disk fills faster than you expect. Indexer storage grows ~1 GB per agent per month at default verbosity. Set retention to 90 days unless compliance requires longer, and budget disk accordingly.
- Alert fatigue is real. Wazuh's default rules generate a lot of noise. Spend an hour in week one tuning out the obvious benign events for your environment, otherwise you'll start ignoring the dashboard.
- Agents behind NAT need the right config. Set the
<address>block in the agent'sossec.confto your Wazuh Manager's public hostname, not the internal one. This breaks more first-time deployments than any single setting. - Don't skip the agent updates. Old agents miss new rule packs. Wazuh ships rule updates monthly; agents need to stay within one minor version of the manager.
Deploy Wazuh on Elestio
One-click deployment, TLS configured, backups running, dashboard reachable in five minutes:
Bring your own servers, point the agents at the manager, and you have a real SIEM that catches real attacks without a six-figure SaaS bill.
Thanks for reading ❤️
See you in the next one 👋