Skip to main content
Homelab Journal
  1. Posts/

Deploying Wazuh XDR with Graylog Integration

·517 words·3 mins
Intermediate Lesson-Learned Lab-Note Security Wazuh Graylog Monitoring Docker
Author
Mario
Security engineer by day, homelab tinkerer by night. Building self-hosted infrastructure and documenting the journey.
Table of Contents

The Challenge
#

I needed a unified security monitoring solution that could:

  1. Provide endpoint detection and response (XDR) capabilities
  2. Integrate with my existing Graylog centralized logging infrastructure
  3. Scale from a single-node deployment to multi-node if needed
  4. Work with my existing OpenClaw threat intelligence feeds

The Solution
#

Wazuh Single-Node Stack
#

Deployed Wazuh as a Docker-based single-node stack. The single-node architecture includes:

  • Wazuh Manager: Core HIDS/XDR engine
  • Wazuh Indexer: OpenSearch-based storage
  • Wazuh Dashboard: Kibana-based UI

Graylog Integration via Rsyslog
#

Rather than replacing Graylog, I integrated Wazuh alerts into my existing logging pipeline:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# /etc/rsyslog.d/wazuh-graylog.conf
# Forward Wazuh alerts to Graylog via syslog
module(load="imfile")

input(type="imfile"
      File="/var/ossec/logs/alerts/alerts.json"
      Tag="wazuh-alerts"
      Severity="info"
      Facility="local0")

local0.* @@<GRAYLOG_SERVER>:1514;RSYSLOG_SyslogProtocol23Format

Pipeline Creation Scripts
#

Created Python scripts to automate Graylog configuration:

Pipeline Creator - Sets up extractors and processing rules for Wazuh JSON:

1
2
3
4
5

# Key fields extracted:
# - rule.level (severity 0-15)
# - rule.description (alert message)
# - agent.name (source host)
# - data.* (event-specific data)

Dashboard Creator - Generates Graylog dashboards with:

  • Alert severity distribution (pie chart)
  • Top 10 triggered rules (bar chart)
  • Agent activity timeline (histogram)
  • Critical alerts table (>= level 10)

Graylog dashboard showing Wazuh security alert widgets

What I Learned
#

1. JSON Log Shipping is Tricky
#

Wazuh writes alerts as JSON Lines format, but rsyslog’s imfile module treats each line as a message. This works well for Graylog’s JSON extractor, but you need to ensure:

  • File permissions allow rsyslog to read the alerts file
  • Log rotation doesn’t break the file watcher

2. OpenClaw Integration Adds Value
#

Custom rules referencing OpenClaw threat feeds (openclaw_rules.xml) provide:

  • Known malicious IP detection
  • Suspicious domain lookups
  • File hash matching against threat intel

3. Single-Node is Fine for Homelab
#

The three-container stack (manager, indexer, dashboard) runs comfortably on:

  • 4 vCPUs
  • 8GB RAM
  • 50GB storage

For a homelab with <20 agents, this is more than sufficient.

Architecture
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

┌─────────────────────────────────────────────────────────────┐
│                    Security Monitoring                       │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ┌─────────┐    ┌─────────┐    ┌─────────┐                 │
│  │ Agents  │───▶│ Wazuh   │───▶│ Wazuh   │                 │
│  │ (hosts) │    │ Manager │    │ Indexer │                 │
│  └─────────┘    └────┬────┘    └─────────┘                 │
│                      │                                      │
│                      │ alerts.json                          │
│                      ▼                                      │
│               ┌──────────────┐                              │
│               │   rsyslog    │                              │
│               └──────┬───────┘                              │
│                      │ syslog/tcp:1514                      │
│                      ▼                                      │
│               ┌──────────────┐                              │
│               │   Graylog    │◀── Unified Log View          │
│               └──────────────┘                              │
│                                                             │
└─────────────────────────────────────────────────────────────┘

Files Created
#

FilePurpose
docker-compose.ymlWazuh single-node stack
rsyslog-graylog-wazuh.confSyslog forwarding config
openclaw_rules.xmlCustom threat intel rules
create-wazuh-graylog-pipeline.pyGraylog pipeline automation
create-wazuh-dashboard.pyDashboard generation

Next Steps
#

  1. Deploy Wazuh agents to all LXC containers
  2. Create alerting rules in Graylog for critical Wazuh events
  3. Integrate with Discord notifications for real-time alerts
  4. Explore Wazuh’s vulnerability detection module

Takeaway: Wazuh provides enterprise-grade XDR capabilities that integrate well with existing logging infrastructure. The rsyslog bridge to Graylog gives you the best of both worlds - specialized security analytics in Wazuh and unified log correlation in Graylog.