Not just for home network. If you are on a budget, Security Onion as NIDS and Wazuh as HIDS with Graylog, Hive and Velociraptor are a potent combo for a solid SOC on a budget. Better to have open source monitoring than nothing.
You definitely saw my comment on your security onion video. Thanks for this comparison. There are a lot of tools out there but knowing which ones to use depending on your situation can be difficult. This was really helpful though.
I think, graylog would be a great addition to my stack, since at work we use Splunk (which is very expensive). Graylog seems somewhat similar to splunk.
Have you tried Grafana stack for logging/metrics? Something along the line of: - Grafana for dashboards - Aloy for logging/metric agent - Loki for log aggregation - Mimir for long-term metrics storage - Prometheus for metrics - AlertManager for alerts
@@LAWRENCESYSTEMS oh yeah, we're evaluating Wazuh in conjunction with OpenSearch as a logging solution for a client and the pcap limitation is an interesting point.
i feel if they make a direct app for linux it’s best to run that way in my opinion. is this a poor way of thinking or is docker a better way. is it just for the added layer of protection?
I hate wazuh and ran from anything that runs on opensearch. You add some opensearch dashboard and use it, and then when you update your wazuh, it wont start back saying that some dashboards from opensearch are no longer supported.... and then you have a bug, lets say your wazuh version is 4.6.0, and you update your endpoint wazuh agent from 4.6.1 but dont update ur server bcuz you dont want the problem with it not starting after updating, but your wazuh gonna alert that your agent OUTDATED bcuz 4.6.1 not equal to 4.6.0. I know its free but one of the worst open source product that ive used
A lot of Linux based stuff is like that which is why I favor containers. Installing locally to a Linux host carries a lot of headaches. For example following a guide for Debian 11 will not work for Debian 12 because of dependency differences. Guide for CentOs are supposed to work for Alma or Rocky but sometimes run into snags again because of dependencies. Then anything relying on Apache is going to be a bigger pain under RHEL/Centos/Alma/Rocky because only Debian derivatives have a2enmod. There are so many spectacular, confidently written linux guides for so many things but anything larger than say nano is going to suck some time with depe dency issues.
who cares about stealing things? homelabbers have come powerful equipment to be taken and put into a botnet. I for one dont want the hardware i paid for the be used by others.
Not just for home network. If you are on a budget, Security Onion as NIDS and Wazuh as HIDS with Graylog, Hive and Velociraptor are a potent combo for a solid SOC on a budget. Better to have open source monitoring than nothing.
Your post has me nerding out so hard
Thanks for this that you heard out the comments from the last video and created a deeper one with other tools in compression
You definitely saw my comment on your security onion video. Thanks for this comparison. There are a lot of tools out there but knowing which ones to use depending on your situation can be difficult. This was really helpful though.
Thanks!
Security Onion with some good network taps is a potent combo. I love it on my home network.
Thanks, glad you like it!
I think, graylog would be a great addition to my stack, since at work we use Splunk (which is very expensive). Graylog seems somewhat similar to splunk.
If your company is utilizing Splunk, you may indeed be eligible for a Personalized Dev/Test License.
Have you tried Grafana stack for logging/metrics?
Something along the line of:
- Grafana for dashboards
- Aloy for logging/metric agent
- Loki for log aggregation
- Mimir for long-term metrics storage
- Prometheus for metrics
- AlertManager for alerts
Thanks for the video. Can we build Wazuh on latest Graylog Open version (replacing filebeat) with Grafana?
I have no idea.
Excellent insights, appreciated!
Glad it was helpful!
@@LAWRENCESYSTEMS oh yeah, we're evaluating Wazuh in conjunction with OpenSearch as a logging solution for a client and the pcap limitation is an interesting point.
i feel if they make a direct app for linux it’s best to run that way in my opinion. is this a poor way of thinking or is docker a better way. is it just for the added layer of protection?
Once you dockerize, you’ll want to dockerize everything that you reasonably can
hey tom! would you be willing to make a video on how to compile a pfsense iso from source?
Can you run these on one piece of hardware or each on one?
Is it okay to have agent from wazuh and security onion on same machine?
They should both work fine
am struggling a looot with writing my own syslog decoders in ,i wonder if adding graylog could help !
you will need to writing your own parser on graylog too, its not built in
Would like to see more of Wazuh
No crowdsec Francois???
What about Elastic?
I have heard of it
Thank you
I hate wazuh and ran from anything that runs on opensearch. You add some opensearch dashboard and use it, and then when you update your wazuh, it wont start back saying that some dashboards from opensearch are no longer supported....
and then you have a bug, lets say your wazuh version is 4.6.0, and you update your endpoint wazuh agent from 4.6.1 but dont update ur server bcuz you dont want the problem with it not starting after updating, but your wazuh gonna alert that your agent OUTDATED bcuz 4.6.1 not equal to 4.6.0. I know its free but one of the worst open source product that ive used
A lot of Linux based stuff is like that which is why I favor containers. Installing locally to a Linux host carries a lot of headaches. For example following a guide for Debian 11 will not work for Debian 12 because of dependency differences. Guide for CentOs are supposed to work for Alma or Rocky but sometimes run into snags again because of dependencies. Then anything relying on Apache is going to be a bigger pain under RHEL/Centos/Alma/Rocky because only Debian derivatives have a2enmod. There are so many spectacular, confidently written linux guides for so many things but anything larger than say nano is going to suck some time with depe dency issues.
Hey Tom, how about doing an updated video to some of the other tools you guys use i.e., ninjaone, sentinelone, etc
forums.lawrencesystems.com/t/client-defense-matrix-the-msp-stack-we-use-to-defend-our-clients/18805
Nobody wants to steal anything on your "homelab."
Maybe no one wants to steal your Homelab but I don't that's true of all homelabs.
Tell us more about your extra chromosome.
who cares about stealing things? homelabbers have come powerful equipment to be taken and put into a botnet. I for one dont want the hardware i paid for the be used by others.