A Portable, Production-Ready SIEM Stack for SMB Security Operations
"Enterprise-grade security monitoring on recycled hardware — because defense-in-depth shouldn't require a defense budget."
The Watchtower is a containerized Security Operations Center (SOC) designed for resource-constrained environments. Built on Wazuh v4.14.1, this single-node deployment provides:
- Real-time threat detection across your infrastructure
- File integrity monitoring for critical assets
- Compliance reporting (CIS, PCI-DSS, GDPR)
- Centralized log aggregation from distributed agents
Perfect for SMBs, home labs, or MSP service offerings.
- Platform: HP EliteBook 820 G2 (or equivalent)
- CPU: Intel Core i7-5600U (2C/4T @ 2.6GHz)
- RAM: 16GB DDR3
- Storage: 256GB SATA SSD
- Network: Gigabit Ethernet (Static IP: 192.168.0.200)
| Component | Purpose | Version |
|---|---|---|
| Wazuh Manager | SIEM engine, log processing, alerting | 4.14.1 |
| OpenSearch | Event indexing and search backend | 2.13.0 |
| Wazuh Dashboard | Web UI for visualization and management | 4.14.1 |
[Internet] → [Firewall] → [Switch]
├─ [Watchtower: 192.168.0.200] (SIEM Node)
├─ [Z220 Workstation] (Wazuh Agent)
└─ [Ryzen Dev Rig] (Wazuh Agent)
# Install Docker and Docker Compose
sudo apt update
sudo apt install -y docker.io docker-compose-plugin git
# Add your user to docker group (logout/login required)
sudo usermod -aG docker $USER
# Set system tuning for OpenSearch
sudo sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.d/99-wazuh.conf# Clone official Wazuh Docker repository
# Check here for latest https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html
git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.1
cd wazuh-docker/single-node
# Generate SSL certificates
docker compose -f generate-indexer-certs.yml run --rm generator
# Deploy the stack
docker compose up -d
# Verify all services are running
docker compose ps- URL:
https://192.168.0.200(or your server IP) - Username:
admin - Password:
SecretPassword(⚠️ Change this immediately)
Monitor your home lab infrastructure with professional-grade tools. Track:
- SSH brute force attempts
- Unauthorized file modifications
- Container security events
- System configuration drift
Offer Watchtower as a managed service:
- Monthly Retainer: $500-800/mo for 24/7 monitoring
- Compliance Reports: Automated CIS benchmark reporting for cyber insurance
- Incident Response: Alert escalation when anomalies detected
Use Wazuh's detection capabilities to:
- Test evasion techniques against modern SIEM
- Understand how blue teams detect lateral movement
- Practice operational security (OPSEC) tradecraft
Deploy Wazuh agents to monitored endpoints:
# On Ubuntu/Debian agent
curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.1-1_amd64.deb
sudo WAZUH_MANAGER='192.168.0.200' dpkg -i wazuh-agent.deb
sudo systemctl enable wazuh-agent && sudo systemctl start wazuh-agentFile integrity monitoring for game assets:
<!-- /var/ossec/etc/rules/local_rules.xml -->
<group name="allogaia_fim,">
<rule id="100001" level="12">
<if_sid>550</if_sid>
<field name="file">^/Allogaia/Content/</field>
<description>Critical game asset modified: $(file)</description>
</rule>
</group>CRITICAL: Use v4.14.1 or later. Earlier versions (v4.9.0) have broken certificate generation that causes 5+ hour debugging sessions. See LESSONS_LEARNED.md for the full story.
- Minimum 8GB RAM required (16GB recommended)
- Elasticsearch requires
vm.max_map_count=262144 - SSD strongly recommended for log ingestion performance
This is a portfolio/reference implementation. For production deployments:
- Change default passwords
- Enable TLS/SSL with proper certificates
- Configure firewall rules (only allow agent connections on port 1514)
- Set up log retention policies based on compliance requirements
MIT License - See LICENSE for details.
Built with: Docker, Wazuh, OpenSearch, Late nights, ADHD hyperfocus
Maintained by: Aaron Clifft | Cybersecurity GRC Professional transitioning from 10+ years electrical/PM background