Installing Wazuh in a SOC Lab: server, agents and dashboard step by step
After building the virtual infrastructure of the lab, the next logical step was to introduce a real monitoring and detection engine. In a SOC context, this means having a system capable of collecting events from multiple endpoints, normalizing them, correlating them and making them immediately usable from an operational perspective.
For this lab I chose Wazuh, an open-source platform that today can be considered a full-fledged XDR, suitable both for learning and for real enterprise scenarios.
In this article I describe in detail how I installed the Wazuh server, how I connected two endpoints using agents, and how I configured and accessed the web dashboard to visualize and analyze events. The goal is not just to copy commands, but to understand what actually happens at each stage.
What Wazuh is and why it fits a SOC Lab
Wazuh started as an evolution of OSSEC, but over time it has grown into a much broader security platform. Today it integrates log management, file integrity monitoring, vulnerability detection, endpoint monitoring and rule-based threat detection with correlation capabilities.
From an architectural point of view, Wazuh is composed of three main elements:
the Wazuh Manager, which receives and analyzes events, the Indexer based on OpenSearch, which stores and indexes data, and the Dashboard, which allows analysts to query and visualize everything via a web interface.
The agents, installed on endpoints, collect local telemetry and send it to the manager. This model closely mirrors how modern SOC environments operate, making Wazuh an excellent choice for a realistic and educational lab.
Installing the Wazuh server on Ubuntu Server
The Wazuh server was installed on a dedicated Ubuntu Server virtual machine. After completing the operating system installation and updating all packages, I proceeded with the “all-in-one” installation, which includes manager, indexer and dashboard on the same host.
For a lab environment this approach simplifies management without sacrificing architectural understanding.
After accessing the server via SSH, the first step was updating the system:
sudo apt update && sudo apt upgrade -y
Then I downloaded and executed the official Wazuh installation script:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a
The script automatically installs all required components, configures TLS certificates, initializes OpenSearch and starts the services. During installation, initial credentials for dashboard access are also generated.
Once the process is complete, the services are up and the manager is ready to receive events. The service status can be verified with:
sudo systemctl status wazuh-manager
At this stage the server already generates local events, which is useful to confirm that the entire pipeline is functioning correctly.
Accessing the Wazuh dashboard via web
Once installation is complete, the dashboard can be accessed through a web browser. In this lab, all virtual machines are configured using NAT networking. This allows internal communication between machines and outbound connectivity for updates, while still enabling the host system to access the dashboard.
The dashboard is available at:
https://ip.server.wazuh:443
The connection is secured with HTTPS. On first access, the browser may warn about a self-signed certificate, which is expected in a lab environment.
The default credentials generated during installation are typically:
Username: admin
Password: (printed to the terminal at the end of the installation)
After logging in, the dashboard displays the system overview. At this point no agents are connected yet, but the platform is fully operational.
Installing the Wazuh agent on Ubuntu Desktop
The first endpoint connected to the server was an Ubuntu Desktop system. The Wazuh agent is installed using the official repository.
After adding the repository and its GPG key, the agent was installed with:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo apt install wazuh-agent -y
Once installed, the agent must be configured to point to the Wazuh manager. This is done by editing the configuration file:
sudo nano /var/ossec/etc/ossec.conf
Inside the file, I configured the server address:
ip.server.wazuh
After saving the file, the agent was enabled and started:
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Within seconds, the Ubuntu Desktop endpoint appears in the Wazuh dashboard, along with its first system events and host metadata.
Agent registration and key-based enrollment (manual method)
Installing a Wazuh agent on an endpoint is only part of the process. For the agent to actually send data, it must register with the Wazuh manager and obtain a unique authentication key. This key is what allows the manager to trust the endpoint and accept its events.
In this lab I deliberately used the manual key-based enrollment method. It is simple, transparent, and very educational, because it makes clear how trust between the manager and the agent is established.
1) On the Wazuh server: create the agent and extract the key
On the Wazuh manager, I use the built-in manage_agents utility:
sudo /var/ossec/bin/manage_agents
A text-based menu appears. The steps are:
Press A to Add agent
-Enter an agent name (for example ubuntu-endpoint or windows10-endpoint)
-Enter the agent IP address. In a lab environment you can safely use placeholders such as ip.ubuntu.endpoint, ip.windows.endpoint, or even any
-Confirm the information
Once the agent has been created, still in the same menu:
Press E to Extract key
-Select the agent you just created
-Copy the key that is displayed (it is a long single-line string)
-This string is the authentication key that will be imported on the endpoint.
Practical tip: the key must be copied exactly as shown, without line breaks or extra spaces.
2) On the Ubuntu endpoint: import the key and start the agent
On the Ubuntu desktop endpoint, after installing the wazuh-agent package, I import the key using the same utility:
sudo /var/ossec/bin/manage_agents
From the menu:
Press I to Import key
-Paste the key copied from the manager
-Confirm
Next, I make sure the agent knows where the manager is by editing the configuration file:
sudo nano /var/ossec/etc/ossec.conf
Inside the block I set:
ip.server.wazuh
Then I enable and restart the agent:
sudo systemctl enable wazuh-agent
sudo systemctl restart wazuh-agent
To verify that the agent is running correctly:
sudo systemctl status wazuh-agent --no-pager
3) On the Windows endpoint: registering the agent
The concept on Windows is exactly the same: the agent must register with the manager and obtain a key.
Depending on the installer version, there are two common approaches:
A) Key insertion during installation
Some Windows installers allow you to paste the authentication key directly during the setup wizard or via a configuration screen.
B) Registration after installation
In many cases, registration is performed after installation using a command-line tool (such as agent-auth or an equivalent mechanism), where the agent connects to the manager and completes enrollment.
If you want to stay fully consistent with the manual approach used in this lab, the recommended workflow is:
-Generate the key on the manager using manage_agents
-Import the key on the Windows agent using the tools provided by the agent installation (CLI or GUI, depending on version)
-Restart the Wazuh agent service on Windows
Important note: on Windows, the exact command depends on the agent version and installation package. The underlying logic remains the same: the agent imports a key generated by the manager and then establishes a trusted connection.
4) Verifying agent connectivity on the manager
Once enrollment is complete, I verify the agent status directly on the manager:
sudo /var/ossec/bin/agent_control -l
If everything is configured correctly, the agent appears as Active. At this point, it also becomes visible in the Wazuh web dashboard under the Agents section, and events begin to arrive almost immediately.
Installing the Wazuh agent on Windows 10
The second endpoint in the lab is a Windows 10 virtual machine, which is essential for observing logs and behaviors typical of enterprise environments.
The Wazuh agent for Windows is installed via an MSI package. After downloading the installer from the official website, the installation wizard allows you to specify the manager address directly:
Manager address: ip.server.wazuh
Once the installation completes, the Wazuh Agent service starts automatically. Its status can be verified from the Windows Services console.
On Windows, Wazuh immediately begins collecting security events, system logs, network activity and process information. This makes the Windows endpoint particularly valuable for realistic SOC simulations.
Viewing agents and using the dashboard
With both agents active, the Wazuh dashboard clearly displays the connected endpoints. Each host is visible with detailed information such as operating system, IP address, agent status and event flow.
Through the alert panels, it is possible to analyze events by filtering them by severity, category or originating host. This allows analysts to quickly distinguish background noise from relevant security signals.
The dashboard also enables direct querying of indexed logs, supporting manual threat hunting activities. Patterns can be searched, events correlated across multiple endpoints and timelines reconstructed for deeper analysis.
Wazuh as an XDR inside the lab
In this SOC Lab, Wazuh acts as an XDR platform, correlating events from different operating systems and providing a unified security view of the environment. Agents supply detailed telemetry, while the manager applies centralized detection rules, closely replicating the behavior of a real SOC.
This setup makes it possible to observe how seemingly benign events can gain security relevance when analyzed in context. It is precisely this correlation capability that makes Wazuh such a powerful tool, both for learning and for operational use.
For this lab I chose Wazuh, an open-source platform that today can be considered a full-fledged XDR, suitable both for learning and for real enterprise scenarios.
In this article I describe in detail how I installed the Wazuh server, how I connected two endpoints using agents, and how I configured and accessed the web dashboard to visualize and analyze events. The goal is not just to copy commands, but to understand what actually happens at each stage.
What Wazuh is and why it fits a SOC Lab
Wazuh started as an evolution of OSSEC, but over time it has grown into a much broader security platform. Today it integrates log management, file integrity monitoring, vulnerability detection, endpoint monitoring and rule-based threat detection with correlation capabilities.
From an architectural point of view, Wazuh is composed of three main elements:
the Wazuh Manager, which receives and analyzes events, the Indexer based on OpenSearch, which stores and indexes data, and the Dashboard, which allows analysts to query and visualize everything via a web interface.
The agents, installed on endpoints, collect local telemetry and send it to the manager. This model closely mirrors how modern SOC environments operate, making Wazuh an excellent choice for a realistic and educational lab.
Installing the Wazuh server on Ubuntu Server
The Wazuh server was installed on a dedicated Ubuntu Server virtual machine. After completing the operating system installation and updating all packages, I proceeded with the “all-in-one” installation, which includes manager, indexer and dashboard on the same host.
For a lab environment this approach simplifies management without sacrificing architectural understanding.
After accessing the server via SSH, the first step was updating the system:
sudo apt update && sudo apt upgrade -y
Then I downloaded and executed the official Wazuh installation script:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a
The script automatically installs all required components, configures TLS certificates, initializes OpenSearch and starts the services. During installation, initial credentials for dashboard access are also generated.
Once the process is complete, the services are up and the manager is ready to receive events. The service status can be verified with:
sudo systemctl status wazuh-manager
At this stage the server already generates local events, which is useful to confirm that the entire pipeline is functioning correctly.
Accessing the Wazuh dashboard via web
Once installation is complete, the dashboard can be accessed through a web browser. In this lab, all virtual machines are configured using NAT networking. This allows internal communication between machines and outbound connectivity for updates, while still enabling the host system to access the dashboard.
The dashboard is available at:
https://ip.server.wazuh:443
The connection is secured with HTTPS. On first access, the browser may warn about a self-signed certificate, which is expected in a lab environment.
The default credentials generated during installation are typically:
Username: admin
Password: (printed to the terminal at the end of the installation)
After logging in, the dashboard displays the system overview. At this point no agents are connected yet, but the platform is fully operational.
Installing the Wazuh agent on Ubuntu Desktop
The first endpoint connected to the server was an Ubuntu Desktop system. The Wazuh agent is installed using the official repository.
After adding the repository and its GPG key, the agent was installed with:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo apt install wazuh-agent -y
Once installed, the agent must be configured to point to the Wazuh manager. This is done by editing the configuration file:
sudo nano /var/ossec/etc/ossec.conf
Inside the file, I configured the server address:
ip.server.wazuh
After saving the file, the agent was enabled and started:
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Within seconds, the Ubuntu Desktop endpoint appears in the Wazuh dashboard, along with its first system events and host metadata.
Agent registration and key-based enrollment (manual method)
Installing a Wazuh agent on an endpoint is only part of the process. For the agent to actually send data, it must register with the Wazuh manager and obtain a unique authentication key. This key is what allows the manager to trust the endpoint and accept its events.
In this lab I deliberately used the manual key-based enrollment method. It is simple, transparent, and very educational, because it makes clear how trust between the manager and the agent is established.
1) On the Wazuh server: create the agent and extract the key
On the Wazuh manager, I use the built-in manage_agents utility:
sudo /var/ossec/bin/manage_agents
A text-based menu appears. The steps are:
Press A to Add agent
-Enter an agent name (for example ubuntu-endpoint or windows10-endpoint)
-Enter the agent IP address. In a lab environment you can safely use placeholders such as ip.ubuntu.endpoint, ip.windows.endpoint, or even any
-Confirm the information
Once the agent has been created, still in the same menu:
Press E to Extract key
-Select the agent you just created
-Copy the key that is displayed (it is a long single-line string)
-This string is the authentication key that will be imported on the endpoint.
Practical tip: the key must be copied exactly as shown, without line breaks or extra spaces.
2) On the Ubuntu endpoint: import the key and start the agent
On the Ubuntu desktop endpoint, after installing the wazuh-agent package, I import the key using the same utility:
sudo /var/ossec/bin/manage_agents
From the menu:
Press I to Import key
-Paste the key copied from the manager
-Confirm
Next, I make sure the agent knows where the manager is by editing the configuration file:
sudo nano /var/ossec/etc/ossec.conf
Inside the block I set:
ip.server.wazuh
Then I enable and restart the agent:
sudo systemctl enable wazuh-agent
sudo systemctl restart wazuh-agent
To verify that the agent is running correctly:
sudo systemctl status wazuh-agent --no-pager
3) On the Windows endpoint: registering the agent
The concept on Windows is exactly the same: the agent must register with the manager and obtain a key.
Depending on the installer version, there are two common approaches:
A) Key insertion during installation
Some Windows installers allow you to paste the authentication key directly during the setup wizard or via a configuration screen.
B) Registration after installation
In many cases, registration is performed after installation using a command-line tool (such as agent-auth or an equivalent mechanism), where the agent connects to the manager and completes enrollment.
If you want to stay fully consistent with the manual approach used in this lab, the recommended workflow is:
-Generate the key on the manager using manage_agents
-Import the key on the Windows agent using the tools provided by the agent installation (CLI or GUI, depending on version)
-Restart the Wazuh agent service on Windows
Important note: on Windows, the exact command depends on the agent version and installation package. The underlying logic remains the same: the agent imports a key generated by the manager and then establishes a trusted connection.
4) Verifying agent connectivity on the manager
Once enrollment is complete, I verify the agent status directly on the manager:
sudo /var/ossec/bin/agent_control -l
If everything is configured correctly, the agent appears as Active. At this point, it also becomes visible in the Wazuh web dashboard under the Agents section, and events begin to arrive almost immediately.
Installing the Wazuh agent on Windows 10
The second endpoint in the lab is a Windows 10 virtual machine, which is essential for observing logs and behaviors typical of enterprise environments.
The Wazuh agent for Windows is installed via an MSI package. After downloading the installer from the official website, the installation wizard allows you to specify the manager address directly:
Manager address: ip.server.wazuh
Once the installation completes, the Wazuh Agent service starts automatically. Its status can be verified from the Windows Services console.
On Windows, Wazuh immediately begins collecting security events, system logs, network activity and process information. This makes the Windows endpoint particularly valuable for realistic SOC simulations.
Viewing agents and using the dashboard
With both agents active, the Wazuh dashboard clearly displays the connected endpoints. Each host is visible with detailed information such as operating system, IP address, agent status and event flow.
Through the alert panels, it is possible to analyze events by filtering them by severity, category or originating host. This allows analysts to quickly distinguish background noise from relevant security signals.
The dashboard also enables direct querying of indexed logs, supporting manual threat hunting activities. Patterns can be searched, events correlated across multiple endpoints and timelines reconstructed for deeper analysis.
Wazuh as an XDR inside the lab
In this SOC Lab, Wazuh acts as an XDR platform, correlating events from different operating systems and providing a unified security view of the environment. Agents supply detailed telemetry, while the manager applies centralized detection rules, closely replicating the behavior of a real SOC.
This setup makes it possible to observe how seemingly benign events can gain security relevance when analyzed in context. It is precisely this correlation capability that makes Wazuh such a powerful tool, both for learning and for operational use.
wazuh dashboard main general informations agents and security alerts
wazuh dashboard main general informations agents and security alerts
wazuh dashboard main general informations agents and security alerts
wazuh dashboard main general informations agents and security alerts