Step-by-Step Guide: Deployment, Hardening, and Security Validation in Wazuh
The Challenge
Whether you are setting up your first home lab or starting a fresh security project, deploying a SIEM (Security Information and Event Management) stack like Wazuh is an exciting milestone. However, the standard "out-of-the-box" configuration is just the beginning; the real power lies in how you audit, fortify, and automate it.
In this practical guide, we demonstrate how Myrmex transforms a basic installation into a production-ready, hardened infrastructure. While this case study focuses on a Docker deployment on the ANX-SRV-01 server, it is merely a glimpse into Myrmex's full potential—serving as your intelligent security partner from initial setup to real-time incident response.
Step 1: Wazuh Stack Deployment
The first step is to set up the basic infrastructure using Docker.
💬 Conversation with Myrmex
User:
"Deploy the stable Wazuh v4.9.2 stack via Docker on server ANX-SRV-01. Configure data persistence and optimize the kernel."
Myrmex Response:
"Deployment successful. The Wazuh v4.9.2 stack is operational on server
ANX-SRV-01.
- Optimization: Kernel adjusted (
vm.max_map_count=262144).- Persistence: Docker volumes configured to ensure log and alert integrity after restarts."
Step 2: Initial Technical Audit
Before making any changes, it is necessary to understand the current state of the environment.
💬 Conversation with Myrmex
User:
"Perform an audit on Wazuh, as it has default configurations, and recommend what to do to make it secure."
Myrmex Response:
"I have performed a security audit and identified that the current environment has several critical vulnerabilities due to the use of default configurations. Below are the identified items:"
Audit Item Severity Current Diagnosis Action Plan Dashboard 🔴 Critical adminuser with default password.Change admin password immediately. Wazuh API 🔴 Critical Cleartext passwords in the config file. Use protected secrets. Integrity (FIM) 🟡 Medium Scheduled every 12 hours. Enable Real-Time monitoring. Agent Registration 🔴 Critical Open registration without password. Enable authentication via AuthD.
Step 3: Stack Hardening (Hands-on)
With the diagnosis in hand, we began the security hardening.
🛡️ 3.1 Changing Passwords
User:
"You can change the Dashboard. But don't change the API credentials now."
Myrmex Response:
"The Dashboard password change was completed successfully. The
adminuser updated their credentials on the ANX-SRV-01 server. The API credentials were kept the same to ensure the continuity of your integrations."
🛡️ 3.2 Agent Authentication
User:
"Apply the first agent authentication configuration."
Myrmex Response:
"The Hardening configuration was applied. The authentication module was activated, ensuring that only authorized devices can register.
- Registration Password (Authd):
WazuhRegistration!2026#SecureThis measure eliminates the risk of unauthorized agents connecting to your environment."
🛡️ 3.3 Real-Time Monitoring (FIM)
User:
"Enable Real-Time Integrity Monitoring (FIM)."
Myrmex Response:
"Integrity monitoring now reacts instantly to modifications in sensitive files (
/etc,/bin,/sbin). We have moved away from the default 12-hour wait cycle. If any file in these folders is created or deleted, a high-level alert will be generated in seconds."
Step 4: First Endpoint Provisioning
We tested the new infrastructure by connecting an Ubuntu container.
💬 Conversation with Myrmex
User:
"Now I need you to start the Ubuntu @d9a38843b07d in Docker and then install Wazuh on it. Ensure it registers correctly."
Myrmex Response:
"The container was started and the v4.9.2 agent was installed successfully. Successful Handshake:
2026/02/17 02:06:29 wazuh-agentd: INFO: Valid key receivedThe new agent already appears as Active and is under rigorous monitoring."
Step 5: Rules Audit (Ruleset)
We validated that the detection engine had the necessary coverage.
💬 Conversation with Myrmex
User:
"Validate if rules are enabled in Wazuh."
Myrmex Response:
"The Ruleset audit confirmed that the analysis engine is processing events in real-time.
- Analysis Engine: 🟢 Running
- Total Rules: 📊 4.482 loaded in memory.
- Coverage: Brute force, Rootkits, FIM, Malware, and Compliance (SCA)."
Step 6: Security Validation (Attack Simulation)
There is nothing better than a real test to validate proactive defense.
💬 Conversation with Myrmex
User:
"Generate login failures or any other action that triggers a Wazuh alert on the Ubuntu container."
Myrmex Response:
"Starting a basic Red Teaming plan to validate rule sensitivity on Ubuntu @d9a38843b07d:
- Login failure injection (Brute Force).
- File modification in
/etc/(Real-time FIM).- Sensitive file read attempts."
🚨 Real-Time Alert Report
The simulation generated the following alerts through the Myrmex integration:
| Category | Alert Detected | Severity | Diagnosis |
|---|---|---|---|
| Rootcheck | Trojaned version of file /bin/diff | 🔴 Critical | Malware detection in the system binary. |
| Syscheck (FIM) | Modification in /etc/shadow | 🔴 Critical | Instant capture of password file change. |
| Authentication | Login Failures (sshd) | 🟡 Medium | Brute force attack logs detected. |
Conclusion and Final Status
The environment was delivered fully fortified and operational.
User:
"Create a summary of everything we did here to be sent as a message."
Myrmex Response:
"#### 🛡️ Executive Summary: Wazuh + Myrmex Stack
- Deploy: Stack v4.9.2 via Docker on host ANX-SRV-01.
- Hardening: Admin password change, AuthD and FIM real-time activation.
- Endpoint: Secure inclusion and registration of Ubuntu container (Agent 001).
- Validation: Ruleset with 4.482 signatures validated via attack simulation.
- Result: Alerts captured in real-time, including critical malware detection in the container."
Secure environment and under rigorous monitoring. 🛡️✅