Config files for setting up Wazuh monitoring on a personal Linux instance using Docker.
📖 Full setup guide: heeeyaaa.github.io/posts/wazuh-homelab
- Arch Linux (or any systemd-based distro)
- Docker + docker-compose
- auditd
- yay (for Wazuh agent AUR package)
- Discord server with a webhook URL
- Clone this repo into your home directory
- Edit
ossec.conf— replaceCHANGE_ME_INDEXER_PASSWORDwith your indexer password - Edit
ossec.conf— replaceYOUR-DISCORD-WEBHOOK-URLwith your webhook URL - Run the setup script:
bash copy-configs.sh| File | Description |
|---|---|
copy-configs.sh |
Places all config files in the correct locations |
ossec.conf |
Wazuh manager config |
agent.conf |
Wazuh agent config |
local_rules.xml |
Custom detection rules |
wazuh-command.rules |
Auditd monitoring rules |
dangerous-commands |
Commands to watch for execution |
sca_detect_linux_keylogger.yml |
SCA keylogger detection policy |
custom-discord |
Discord integration wrapper |
custom-discord.py |
Discord integration script |
The suppression rules in local_rules.xml are specific to my desktop setup. Review and adjust them for your system before use.