Wazuh: A Self-Hosted SIEM for the Home Lab (Is It Worth the RAM?)

A SIEM — Security Information and Event Management — is the thing big companies pay six figures a year for so that a roomful of analysts can stare at dashboards and catch the moment something goes wrong. The pitch is simple: pull logs from everything you own into one place, correlate them, and raise an alert when the pattern smells like an attack. The reality, for most of those companies, is a very expensive log bucket nobody reads.

So why would a homelab want one? Because the same machinery that overwhelms an enterprise can, at small scale, actually give a single tinkerer something genuinely useful: a single pane that tells you when one of your boxes has been poked at, modified, or logged into by someone who shouldn’t be there. Wazuh is the open-source SIEM I keep coming back to, and the question that matters isn’t “is it good” — it is — but “is it worth the resources it demands?”

1 What Wazuh actually gives you

Wazuh started life as a fork of OSSEC and grew into a full platform. You run a manager (the brain), it ships with an indexer and a dashboard (a fork of OpenSearch and its dashboards), and you install lightweight agents on the machines you want to watch. The agents send events up; the manager runs them through rules and decoders; the dashboard shows you what came out.

Out of the box, without you writing a single rule, it does a surprising amount:

• File Integrity Monitoring (FIM) — it watches sensitive paths and tells you the instant /etc/passwd or an SSH config changes.
• Log analysis — it parses auth logs and flags brute-force attempts, sudo abuse, and suspicious logins.
• Vulnerability detection — it cross-references installed packages against CVE feeds.
• Security Configuration Assessment — it runs CIS-benchmark-style checks and scores how hardened each box is.

The FIM piece alone justified the install for me. Knowing within seconds that a config file changed on a server I wasn’t touching is the kind of signal you don’t appreciate until the one time it isn’t a false alarm.

2 The RAM question, answered honestly

Here’s the part the glossy docs are coy about. Wazuh is not light. The indexer is a JVM-based search engine, and JVM-based search engines are hungry. The official guidance for an all-in-one deployment starts around 4GB of RAM, and that’s a floor, not a comfortable cruising altitude. Give it 8GB and you’ll have a better time. Try to run it in 2GB and you’ll spend your evenings watching the indexer get OOM-killed.

That’s a real cost in a homelab where RAM is the scarce resource and every other container is also “just a couple of gigs.” A docker-compose stack for the single-node setup looks innocent enough:

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.x
    ports: ["1514:1514", "1515:1515", "55000:55000"]
  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.x
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"   # this line is the RAM tax
  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.x
    ports: ["443:5601"]

That -Xmx2g is doing exactly what it says: handing two whole gigabytes to the search engine’s heap, before you’ve indexed a single log line. Budget accordingly. On a Raspberry Pi, forget it. On a NUC or a repurposed mini-PC with 16GB, it’s a reasonable lodger.

3 Living with it day to day

Once it’s up, the agent install is pleasantly boring — a package, a config pointing at the manager, and an enrollment key:

WAZUH_MANAGER="10.0.0.10" apt install wazuh-agent
systemctl enable --now wazuh-agent

The dashboard is dense. There’s a lot of it, and the default alert noise is real — you’ll spend the first week tuning rules, suppressing the chatter from your own legitimate behaviour, and deciding which alert levels actually mean “wake me up.” This is the universal SIEM tax: the value is entirely in the tuning, and a SIEM you don’t tune is just a very heavy log viewer. The decoders and rules are XML, which is exactly as much fun as it sounds, but they’re well documented and you rarely need to touch the internals for a homelab.

4 The verdict

Is it worth the RAM? It depends brutally on what you’re protecting. If your “homelab” is a single Pi running Pi-hole, no — Wazuh will eat the machine and tell you things you could have learned from journalctl. If you run several boxes, expose anything to the internet, or simply want to learn how real detection engineering works on hardware you control, then yes, comfortably. The FIM and the SSH brute-force alerting earned their keep for me within a fortnight.

Who is this for? The homelabber who’s outgrown “I’ll check the logs if something feels off” and wants to be told before it feels off — and who has 8GB of RAM to spare and an evening to tune the noise down. It’s a real SIEM, given away for free. The price isn’t money. It’s memory, and your patience.