Step-by-Step Implementation

1. Prepare the Environment

Purpose: Confirms system architecture (aarch64) to ensure ARM-compatible packages are selected.

uname -m

Purpose: Identifies the VM's LAN IP address, which is required for agent-to-server communication.

hostname -I

Purpose: Installs Docker and Docker Compose, which are required to run Wazuh as containerized services.

sudo apt update
sudo apt install -y docker.io docker-compose-plugin

Purpose: Starts Docker immediately and ensures it persists across reboots.

sudo systemctl enable docker --now

Purpose: Verifies Docker and Docker Compose are installed and available.

docker --version
docker compose version

2. Deploy Wazuh (Single Node)

Purpose: Retrieves the official Wazuh Docker deployment files and navigates to the single-node configuration.

git clone https://github.com/wazuh/wazuh-docker.git
cd wazuh-docker/single-node

Purpose: Generates TLS certificates used to encrypt communication between Wazuh components (manager, indexer, dashboard).

sudo docker compose -f generate-indexer-certs.yml run --rm generator

Purpose: Confirms that certificate files were successfully generated and stored locally.

ls -la config/wazuh_indexer_ssl_certs

Purpose: Starts the Wazuh SIEM stack (manager, indexer, dashboard) in detached mode.

sudo docker compose -f docker-compose.yml up -d

Purpose: Verifies that all Wazuh containers are running and healthy.

sudo docker compose -f docker-compose.yml ps

3. Access and Verify the SIEM

Purpose: Retrieves the server IP used to access the Wazuh dashboard.

hostname -I


Access the dashboard: https://<WAZUH_VM_IP> — Opens the Wazuh web interface over HTTPS

Wazuh SIEM dashboard
Wazuh SIEM Dashboard

4. Deploy the First Agent (Ubuntu ARM)

Agent was deployed via the Wazuh dashboard:

  • OS: Linux
  • Package: DEB aarch64
  • Server address: <WAZUH_VM_IP>
  • Agent name: ubuntu-lab-01
  • Group: default
  • The Wazuh dashboard gave me two commands to run on the endpoint to install the agent.

Purpose: Ensures the agent is installed from a neutral location on the endpoint, not from the SIEM server directory.

cd ~

Lastly, I ran the two commands that I copied from the Wazuh dashboard on the endpoint.

Wazuh agent

5. Generate and Validate a Test Alert

Purpose: Creates a new user account, triggering authentication-related logs monitored by Wazuh.

sudo useradd wazuh_alert_test

In the dashboard:

  • Navigate to Security events / Threat hunting
  • Search for: useradd and wazuh_alert_test

Purpose: Confirms that the SIEM successfully detected, ingested, indexed, and displayed the security event.

Wazuh alert test

Challenges & Lessons Learned

ARM vs amd64

  • Many SIEM tools default to Intel (amd64)
  • ARM deployments require explicit aarch64 selection
  • Architecture mismatches caused failures