# This post is a work-in-progress. Come back regularly for updates!

My initial Open-Source SecOps Homelab SIEM setup with OpenSearch, fluent-bit, and Grafana#

Playlist Dashboards#

threatmap indicators timelines openwrt-timeline firewall-outbound

Note:

I’m still iteratively auditing the dashboards to make sure each panel’s: query/naming/threshold colouring, actually make sense, as well as the overall logflow/parsing to ensure I’m not dropping data. So you may see some issues/ai slop. My logic is that it’s better to vibecode some of this stuff to get an initial setup going quicker and then improve it over time.
I’m starting to shift my focus to practicing analysis, there’s shockingly already a lot for me to investigate, but I’m also currently working on:
- Alerting - I have a list of alerts to get started with but I need to decide on what method I’m using to push alert notifications first. After that I’ll look into orchestration/correlation more, in the mean time I’ve added pipeline processors to ensure all the src/dst_ip fields are consistent across my datasources for basic cross-source alerting.
- Going through Wazuh configuration as it’s largely default atm and seemingly getting a lot of false-positives.
- Adding some kind of automatic baseline/anomaly detection. Still exploring my options.
- Health Monitoring - fluent-bit is half done but I want more OpenSearch metrics and to setup Prometheus for host hardware health monitoring.
- OpenVAS hypervisor host setup/integration.
- Zeek Traffic Flow host setup/integration.
I also need to look into ways I can deal with the massive auth success volume I get from the logflow scripts.

investigate-overview

More coming soon!

Coming soon!

Coming soon!