VPS Security Monitoring with Wazuh SIEM: Practical Setup Guide

  • Home
  • tutorials
  • VPS Security Monitoring with Wazuh SIEM: Practical Setup Guide
configure Wazuh SEIM for VPS Infrastructure

VPS Security Monitoring with Wazuh SIEM: Practical Setup Guide

Wazuh SIEM is an open-source security tool that collects logs and security events from many servers and puts them in one place. It helps teams see what is happening across their systems, spot suspicious activity, and get alerts when something looks wrong. This tutorial from PerLod Hosting will show you how to configure Wazuh SEIM for VPS Infrastructure.

Wazuh is useful because a VPS setup often has many small servers that are easy to miss if checked one by one. With Wazuh, each VPS can send key data like system logs, login activity, and important file changes to a central server, so problems can be found faster and handled sooner.

Prerequisites To Configure Wazuh SEIM for VPS Infrastructure

This guide shows you how to install Wazuh on a VPS, add other VPS servers as agents, and enable key security features like file integrity monitoring and vulnerability scanning.

Before starting the Wazuh SEIM setup, ensure you have the following requirements.

Hardware Requirements

For an all-in-one Wazuh deployment monitoring up to 100 VPS servers:

  • Minimum: 4 vCPU, 8 GB RAM, 50 GB disk space.
  • Recommended: 8 vCPU, 8 GB RAM, 100-200 GB disk space (SSD is recommended).

Operating System

One VPS for the Wazuh SIEM server running:

  • Ubuntu 16.04, 18.04, 20.04, 22.04, or 24.04
  • Or CentOS Stream 10, RHEL 7-10

In this guide, we use Ubuntu 24.04 to show you the steps.

Access Requirements

  • Root or sudo access on all servers.
  • SSH access to all VPS instances.
  • Basic familiarity with the Linux command line.

For this tutorial, the Wazuh SIEM server and all monitored nodes are deployed on PerLod VPS Hosting.

1. Install Wazuh SIEM Server (All-in-One)

We want to install Wazuh all-in-one, including server, indexer, and dashboard. To do this, you must run the system update and upgrade to install the latest security updates and patches on your system:

sudo apt update && sudo apt upgrade -y

Then, use the curl command to download the official Wazuh installation script:

sudo curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh

After your download is completed, run the installation assistant in all-in-one mode with the command below:

sudo bash ./wazuh-install.sh -a

The -a flag installs Wazuh indexer, server, and dashboard on the same VPS.

The script will automatically:

  • Install the Wazuh indexer, which stores security data.
  • Install the Wazuh server or manager, which is the web interface for visualization.
  • Generate SSL certificates.
  • Create administrator credentials.

The installation may take 5-10 minutes, then you will see output similar to this:

INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP>:443
User: admin
Password: kR8x9m2B*zQ5vL3nW7hY
INFO: Installation finished.

You must save the credentials to access the dashboard.

To prevent accidental upgrades that could break your setup, you must disable the Wazuh package repository with the command below:

sudo sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
sudo apt update

This ensures you control when to upgrade Wazuh and can test updates in a staging environment first.

2. Configure Network Access for Wazuh SEIM

At this point, you must configure the firewall rules for Wazuh SEIM to be accessible.

For Ubuntu with UFW firewall, run the commands below to allow the required ports:

sudo ufw allow 443/tcp comment 'Wazuh Dashboard'
sudo ufw allow 1514/tcp comment 'Wazuh Agent Communication'
sudo ufw allow 1515/tcp comment 'Wazuh Agent Enrollment'
sudo ufw allow 55000/tcp comment 'Wazuh API'
sudo ufw reload

For systems using firewalld, like CentOS and RHEL, run the commands below:

sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=1514/tcp
sudo firewall-cmd --permanent --add-port=1515/tcp
sudo firewall-cmd --permanent --add-port=55000/tcp
sudo firewall-cmd --reload

Important Note: Restrict dashboard access (port 443) to trusted IP addresses only. Allow ports 1514 and 1515 only from your monitored VPS servers.

Then, check that all Wazuh services are running and active with the commands below:

sudo systemctl status wazuh-manager
sudo systemctl status wazuh-indexer
sudo systemctl status wazuh-dashboard

Each service should show an active (running) status. If any service is not running, start it with the commands below:

sudo systemctl start wazuh-manager
sudo systemctl start wazuh-indexer
sudo systemctl start wazuh-dashboard

3. Access the Wazuh Dashboard

Now that you have set up Wazuh SEIM and configured the network access, you can access the dashboard. To do this, open your desired web browser and navigate to:

https://YOUR_WAZUH_SERVER_IP:443

Replace YOUR_WAZUH_SERVER_IP with your VPS public IP address.

Warning: Your browser will show a security warning because Wazuh uses a self-signed SSL certificate. Safely click Advanced and proceed to the site.

You will see the login screen, enter the credentials you got from the Wazuh installation:

  • Username: admin
  • Password: password shown during installation.

If you lost the password, you can use the command below to get it:

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

4. Install Wazuh Agents on Monitored VPS Servers

In this step, you must install the Wazuh agents on the VPS servers you want to monitor. On each VPS you want to monitor, you must add the Wazuh repository.

In Ubuntu and Debian systems, you can use the following command to download Wazuh’s GPG signing key:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor | sudo tee /usr/share/keyrings/wazuh.gpg > /dev/null

Then, add the Wazuh APT repository with the command below:

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

Run the system update and install the Wazuh Agent package:

sudo apt update
sudo apt install wazuh-agent -y

This downloads and installs the Wazuh agent software, which will monitor this VPS and send security events to the Wazuh manager.

Configure Wazuh Agent to Connect to Manager

After Wazuh agent installation, you must configure it to connect to the Wazuh manager or server. To do this, open the Wazuh agent main config file with the command below:

sudo nano /var/ossec/etc/ossec.conf

In the file, find the client section and update the address field with your Wazuh manager IP:

<client>
  <server>
    <address>YOUR_WAZUH_MANAGER_IP</address>
    <port>1514</port>
    <protocol>tcp</protocol>
  </server>
</client>

Once you are done, save and close the file.

Start the Wazuh Agent

Reload the systemd configuration to apply the changes and start the Wazuh agent service with the following commands:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Verify the Agent service is active and running:

sudo systemctl status wazuh-agent

Verify Wazuh Agent Connection

Now you can check the agent log to confirm it connected to the manager:

sudo tail -f /var/ossec/logs/ossec.log

You should see a message containing Connected to the server, which confirms successful addition. Press Ctrl+C to stop viewing the log.

On the Wazuh dashboard, navigate to:

  • Click the menu icon in the top-left.
  • Select Agents Management and Summary.

You should see your newly added agent listed with status Active.

Note: You can repeat these steps for each VPS you want to monitor.

5. Enable File Integrity Monitoring in Wazuh SEIM

File Integrity Monitoring detects unauthorized changes to critical files and directories.

On each Wazuh agent VPS, edit the following file:

sudo nano /var/ossec/etc/ossec.conf

Locate the syscheck section and add directories to monitor. For example, for a typical web server VPS, it looks like this:

<syscheck>
  <!-- Monitor system configuration files -->
  <directories check_all="yes" realtime="yes">/etc</directories>
  
  <!-- Monitor web content (adjust path for your setup) -->
  <directories check_all="yes" realtime="yes">/var/www</directories>
  
  <!-- Monitor user home directories -->
  <directories check_all="yes">/home</directories>
  
  <!-- Scan frequency (12 hours = 43200 seconds) -->
  <frequency>43200</frequency>
  
  <!-- Scan immediately on agent startup -->
  <scan_on_start>yes</scan_on_start>
</syscheck>

Once you are done, restart the Wazuh agent to apply changes:

sudo systemctl restart wazuh-agent

To test the file integrity monitoring, create a test file in a monitored directory:

sudo touch /etc/test_fim_file.txt

This creates an empty file that FIM should detect. Wait for 1 or 2 minutes and then check the Wazuh dashboard:

Go to Security events.
Filter by agent name.
Look for alerts with a rule description containing "Integrity checksum changed".

You should see an alert showing that the new file was detected.

6. Enable Vulnerability Detection in Wazuh Manager

Vulnerability detection scans installed software packages on agents and compares them against CVE databases to identify known security flaws. To enable this option, follow the steps below.

On the Wazuh manager VPS, edit the following file:

sudo nano /var/ossec/etc/ossec.conf

Find the vulnerability-detection section and ensure it is enabled:

<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

Save the file and restart the Wazuh manager:

sudo systemctl restart wazuh-manager

This loads the new configuration and begins vulnerability scanning. After 10-15 minutes, check the dashboard:

  • Navigate to Threat detection and response, Vulnerabilities.
  • Select an agent from the list.
  • View detected vulnerabilities categorized by severity, such as Critical, High, Medium, and Low.

Verification and Troubleshooting Wazuh SEIM

At this point, you can confirm that each agent is connected to the manager, confirm the network path is open on the required ports, and then use logs to quickly identify the exact error.

To list all added agents with their ID, name, IP address, and status, you can run the command below from the Wazuh manager:

sudo /var/ossec/bin/agent_control -l

Also, you can check the agent status on the agent itself:

sudo grep ^status /var/ossec/var/run/wazuh-agentd.state

To test connectivity from agent to manager ports, you can run:

nc -zv YOUR_WAZUH_MANAGER_IP 1514
nc -zv YOUR_WAZUH_MANAGER_IP 1515

If these commands fail, you must verify:

  • Firewall rules on both the manager and the agent VPS.
  • Security group rules if using a cloud VPS.
  • Network routing between VPS instances.

To review logs for errors, you can use the commands below:

#On the Wazuh manager:
sudo tail -50 /var/ossec/logs/ossec.log

#On agents:
sudo tail -50 /var/ossec/logs/ossec.log

Security Best Practices: Wazuh SEIM VPS Setup

This step focuses on running Wazuh safely and smoothly in a real VPS environment, where public IP exposure, limited resources, and fast growth can create security and stability risks. The goal is to reduce attack surface, keep agent traffic private when possible, and make sure updates and backups are planned.

Security Recommendations:

1. Restrict dashboard access: Only allow access from admin IPs.

sudo ufw allow from YOUR_ADMIN_IP to any port 443

2. Use private networking: If your VPS provider supports private networks, configure agents to connect via private IPs to avoid exposing agent traffic on the public internet.

3. Regular updates: Schedule maintenance windows to update Wazuh components following the official upgrade guide.

4. Backup configuration: Regularly back up /var/ossec/etc/ directory and the wazuh-install-files.tar file.

Performance Tuning: For larger VPS (100+ agents), consider:

  • Increase manager resources: 8+ vCPU, 16 GB RAM.
  • Separate components: Deploy indexer, server, and dashboard on separate VPS instances.
  • Adjust agent reporting interval: Reduce frequency for less critical systems.
  • Enable log compression: Reduce storage requirements.

Monitoring and Maintenance:

1. Monitor disk usage: Wazuh indexes consume disk space over time.

df -h /var/ossec

2. Set up index rotation: Configure automatic deletion of old indices in the dashboard settings.

3. Configure email alerts: Set up SMTP integration to receive critical alerts via email.

4. Create custom rules: Set up Wazuh rules for your specific VPS applications and threats.

FAQs

What are the minimum hardware requirements for Wazuh SIEM on a VPS?

For monitoring up to 100 agents, you need at least 4 vCPU, 8 GB RAM, and 50 GB disk space. For better performance, use 8 vCPU, 8 GB RAM, and 100-200 GB SSD storage.

What ports need to be open for Wazuh to work?

You need to open port 1514 (TCP) for agent communication, port 1515 (TCP) for agent registration, port 443 (TCP) for dashboard access, and optionally port 55000 (TCP) for the Wazuh API.

Why can’t my agents connect to the Wazuh manager?

Common causes include a firewall blocking ports 1514/1515, an incorrect manager IP in the agent’s ossec.conf file, network routing issues, or security group rules blocking traffic. Use nc -zv MANAGER_IP 1514 to test connectivity.

Conclusion

At this point, you have a fully functional Wazuh SIEM deployment monitoring your VPS infrastructure. This setup provides:

  • Centralized log aggregation from all monitored VPS servers.
  • Real-time threat detection through rule-based analysis.
  • File integrity monitoring to detect unauthorized changes.
  • Vulnerability scanning to identify CVE exposures.
  • Compliance monitoring for regulatory frameworks.
  • Security dashboards for visualization and reporting.

We hope you enjoy this guide on Configuring Wazuh SEIM for VPS Infrastructure. Subscribe to our X and Facebook channels to get the latest updates and articles.

For advanced configurations and troubleshooting, you can check the official Wazuh documentation.

Post Your Comment

Perlod Logo White

PerLod delivers high-performance hosting with real-time support and unmatched reliability.

Facebook-f Twitter

Navigation

Useful Links

Contact us

  • Dubai, UAE
  • info[at]perlod.com

Payment methods

payment gateway
Perlod Logo
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.