3
Active Agents
532+
Daily Alerts
100%
Zero Trust Gated
Architecture
Wazuh Endpoints dashboard — Evans-PC (Windows 11) and kali (Kali GNU/Linux 2026.1) both active on v4.14.4
Evans-PC
Windows 11
192.168.56.1
→
Wazuh Server
Amazon Linux
192.168.56.101
→
Cloudflare ZT
Zero Trust Tunnel
→
Public Access
lab.evanakerly.com
The Wazuh manager runs on a VirtualBox VM using the official OVA image. All three agents — the Wazuh server itself, a Windows 11 workstation, and a Kali Linux attack machine — communicate over a VirtualBox host-only network on the 192.168.56.0/24 subnet. The dashboard is exposed publicly via a Cloudflare Zero Trust tunnel, requiring authentication before any access is granted.
Stack Components
Wazuh Manager + Dashboard
Central SIEM engine running on Amazon Linux via OVA. Handles log aggregation, rule processing, alert correlation, and the OpenSearch-based web dashboard.
Wazuh Agents
Lightweight agents deployed on Windows 11 (Evans-PC) and Kali Linux, reporting file integrity events, security logs, SCA results, and system inventory in real time.
Cloudflare Zero Trust
Tunnel-based remote access with identity verification. No ports exposed directly to the internet. Dashboard only reachable via authenticated Cloudflare Access policy.
Security Configuration Assessment
Automated CIS benchmark scanning across all agents. Windows 11 scored against CIS Microsoft Windows 11 Enterprise v3.0.0. Kali and the server scored against Linux distribution benchmarks.
Deployment Process
Step 01
Wazuh Server Deployment
Deployed the Wazuh 4.14.4 OVA on VirtualBox. Configured host-only networking on the 192.168.56.0/24 subnet. Verified manager, indexer, and dashboard services were running.
Step 02
Cloudflare Zero Trust Tunnel
Installed cloudflared on the Wazuh server. Created a tunnel routing lab.evanakerly.com to the local dashboard port. Configured Zero Trust Access policy requiring authentication.
Step 03
Windows Agent (Evans-PC)
Installed Wazuh agent on Windows 11 pointing to 192.168.56.101. Configured ossec.conf to monitor Application, Security, and System event channels. Agent enrolled and reporting within minutes.
Step 04
Kali Linux Agent
Added Wazuh APT repository, imported GPG key, installed wazuh-agent package. Configured /var/ossec/etc/ossec.conf with correct manager IP. Enabled and started the systemd service.
Step 05
Validation & Monitoring
All three agents confirmed active in dashboard. SCA benchmarks running automatically. Real-time alerts flowing into Threat Hunting. MITRE ATT&CK framework mapping enabled.
Active Alert Categories
| Category | Rule IDs | Level | Description |
|---|---|---|---|
| Authentication Events | 5501, 5502, 5715 | 3 | PAM login sessions, SSH authentication success |
| Privilege Escalation | 5402, 5403 | 3–4 | Sudo execution, first-time sudo usage |
| Windows Account Events | 60110, 67022, 67028 | 3–8 | Account changes, local logons, special privilege assignments |
| File Integrity | 550, 533 | 7 | Checksum changes, port status changes |
| SCA Benchmarks | 19004, 19007, 19008 | 7–9 | CIS compliance failures across all agents |
| Brute Force | 5763, 40111, 5551 | 10 | SSH brute force detection, multiple authentication failures |
Key Configuration
The Windows agent ossec.conf was customized to monitor critical event channels and exclude high-volume low-signal event IDs to reduce noise:
<!-- Security event channel with noise filtering --> <localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656]</query> </localfile> <!-- File integrity monitoring on critical Windows paths --> <syscheck> <directories realtime="yes"> %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup </directories> </syscheck>
Skills Demonstrated
SIEM Administration
Agent enrollment, log source configuration, rule tuning, and dashboard navigation in a production-equivalent Wazuh environment.
Network Architecture
Designed isolated lab network topology with proper segmentation, routing between VMs, and secure external access via Zero Trust.
Linux Administration
Service management with systemctl, package installation from custom repositories, GPG key management, and config file editing.
Security Hardening
CIS benchmark awareness, Zero Trust access model, log noise reduction, and understanding of Windows event IDs relevant to SOC work.