Setting Up Wazuh SIEM on Debian 12 in Proxmox: A Complete Guide
Wazuh-SIEM-Setup-Debian12-Proxmox
Setting up the virtual machine on proxmox
Give it a name and choose “Next”; next, in the box that pops up, choose an OS to run on the wazuh machine; we use Debian 11/12.
Just tick the box for Qemu Agent in the System pane; everything else should be left alone.
Determining the power requirements of our SIEM server is the next step. Although we will make a small adjustment, the following figures are recommended by the documentation.
In the disk configuration, provide sufficient disk space for the VM; Wazuh suggests around 50GB for every 90 days of storage, given that my SIEM does not operate continuously. I selected a total disk space of 50GB.
The quantity of CPU cores (4) was derived from the guidelines in the Wazuh datasheet. This is sufficient; you may also manage with three.
I have been use 4GB (4096 MB) of RAM, which operates efficiently with 4-8 agents reporting to the SIEM. If you own additional memory, you may enhance this to 8GB (8192 MB).
For a network device, we utilize the traditional VirtIO (paravirtualized) if an additional network bridge has been deployed outside of vmbr0.
Next up we confirm all the settings and press the finish button.
Installing Debian on the virtual machine
Upon initiating the virtual computer, the installation of the operating system starts automatically.
I recommend the graphical installation option for aesthetic appeal.
The initial step is picking a language; choose your preferred option, and we will proceed with standard English.
Next up is the location selection - this will be used later on for time zones as well so make sure to select the correct one for you and press the continue button.
Now you need to choose the correct keyboard layout and hop on to the next selection screen.
User configured Debian
It is time to choose a name to your machine; select something meaningful or adhere to your existing naming convention.
If your SIEM is to be integrated into an Active Directory Domain, you may input the domain name now; otherwise, you may configure it later if you are uncertain at this moment.
Debian will configure a minimum of two users for you: one root user (administrator) and one standard user.
Initially, input the password for the root (system administrative) user twice; upon completion, you may provide a name to your standard user.
This user is the one you would use to log in for daily operations. Ensure that you remember this identity or add a notation to the VM.
Once the username is selected you enter a password for this user twice and continue onwards.
I previously mentioned that the time zone selection is restricted by the country you select. Now, comes the time zone selection. Ideally, you have chosen the correct option and are able to locate your time zone at this time. If not, you may either select a random time zone and modify it at a later time or return to the country selection section.
Debian disk configuration
Next, you have the option of selecting either a guided or manual approach to configuring the disk for your Debian installation. I recommend that you select the first option, Guided - use entire disk .
Three more steps of single-select-and-continue workflows are coming up. The first step is to choose a disk; assuming you’ve been following along so far, you should only have one disk accessible. Pick that option and go on.
A single partition (or several “virtual hard drives”) or several ones are now an option; for simplicity’s sake, I recommend utilizing the former.
At this point, you should confirm the partitioning and disk erasure as all the specifics have been worked out.
Confirm once more and you are done with the disk setup.
Debian software installation
To ensure that your Debian remains current, you will require software updates. The initial selection interface will provide you with the option to install packages/libraries from an external hard drive or USB disk. Given that you are unlikely to possess one, you may select No and proceed.
debian uses apt (Advanced Package Tool) for most of the software installation. Apt works with mirrors + archives which hold the actual libraries you want to install and since the world is a big place you can choose the mirror location closest to you to have minimum latency.
You can leave this in the default setting, it should not have much impact on your daily work.
The mirror selection process is now underway; simply leave it at deb.debian.org and proceed.
If your internet is proxied, you may now input the appropriate proxy information. If you have not yet established a proxy, it is likely a wise decision to leave this field vacant.
Now, the option to share anonymous usage data for the packages you installed/use is presented. I select “No” due to my aversion to telemetry data collection, regardless of whether it is anonymous.
If you’re new to this, you might be confused about the following step, but don’t worry; it’s not hard.
The default configuration includes the Debian desktop environment, GNOME, and basic system tools, but you may change it if you choose. Debian, KDE Plasma, and the standard system utilities are my preferred desktop environments because I prefer KDE (a bottom-mounted taskbar comparable to Windows or Mac) to gnome.
It is possible to connect to the virtual machine (VM) without the desktop environment, but you will likely require an SSH server for this.
Installing Debian is now complete.
Selecting “yes” in response to the next question will enable you to configure the grub boot loader, the last stage.
The final stage in installing Debian is to install the boot loader on the one and only disk we have.
Start again and log in using the account you created before.
Wazuh SIEM installation A visit to https://documentation.wazuh.com/current/quickstart.html#installing-wazuh is required, followed by copying the displayed command.
Curl is not installed by default on Debian, therefore we need to install it before the installation can begin.
To begin, just copy and paste the commands provided below.
first we become root so that we can install packages
su
# next install curl
apt-get install curl
# and install wazuh
curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Make sure to copy and paste the username/password combination into your password manager at the end.
Wazuh should now be operating on your computer if the installation was successful.
Tell me how to get to it!
Thanks for asking! To access the SIEM machine, either open the browser on that device or, if you want to connect remotely, use https://
Because it does not originate from a certificate authority (CA), you can expect to get an error message stating that the Server’s certificate is not trusted.
You will be welcomed by the Wazuh login page, therefore you may safely disregard this mistake.
Upon logging in, Wazuh will verify that its APIs and services are available. Once that is complete, the dashboard will be shown.
The dashboard looks like this and while yours will not have any agents registered you can do that next.