A home security operations centre is not a vanity project. If you do security research, run a small business from your home network, or just want to understand what’s actually happening on your network, the open-source SOC stack now matches what mid-market enterprises ran five years ago. This tutorial walks through the build top to bottom on hardware costing under $400.
The stack at a glance
Wazuh is the host-based monitoring layer, open-source EDR, log collection, file integrity monitoring, and rule-based alerting on every device with the agent installed. Suricata is the network IDS, inline traffic analysis using Emerging Threats and ETOpen rule sets. OPNsense is the router/firewall that runs Suricata as a plugin. The three together give you endpoint, network, and log correlation in one stack.
Hardware
One small server for Wazuh (4 vCPU, 8 GB RAM, 200 GB SSD minimum) and one router-capable box for OPNsense+Suricata (Intel N100 or N305, 4-8 GB RAM, dual NIC). Protectli, Qotom, and the cheaper Topton boxes from AliExpress all work; budget around $250-$350 for the router. The Wazuh server can be a Raspberry Pi 5 with NVMe HAT for $150 if you don’t need to retain logs more than 30 days, or a NUC clone for ~$300 if you do.
Step 1: Install OPNsense and Suricata
Download the OPNsense ISO from opnsense.org/download, write it to a USB stick with Etcher or Rufus, and install on the router box. Initial setup takes about 20 minutes, wizard prompts for WAN/LAN interface assignment, password, and timezone.
Once you can reach the web UI, install Suricata: Services → Intrusion Detection → Administration → enable the service, then under Download tab subscribe to ETOpen and Abuse.ch SSL Blacklist as your starter rule sets. Hit Update Rules. Set IPS mode to enabled if your router CPU can handle it; otherwise leave at IDS-only and review the alerts daily.
Step 2: Install Wazuh manager
On the server box, install Ubuntu Server 24.04. Then run Wazuh’s all-in-one installer:
curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh sudo bash wazuh-install.sh -a
Twenty minutes later you have Wazuh manager, indexer, and dashboard running. Open https://YOUR-SERVER-IP and log in with the credentials the installer printed.
Step 3: Enroll endpoint agents
For every Windows, macOS, and Linux machine you want to monitor, install the Wazuh agent. Wazuh dashboard → Agents → Deploy new agent → pick OS → copy the install command. Each agent self-registers with the manager and starts shipping syslog, Windows event log, file-integrity events, and process telemetry.
Default rules catch a useful baseline of behaviour: failed logins, account creation, scheduled task changes, suspicious binary execution. The dashboard’s Security Events tab is where you’ll spend most triage time.
Step 4: Forward Suricata logs into Wazuh
This is the integration that turns three separate tools into a SOC. On OPNsense: Services → Intrusion Detection → Administration → enable EVE JSON output. On the Wazuh server: install the Wazuh agent, then add a custom decoder pointing at the Suricata eve.json file. Wazuh’s official docs at documentation.wazuh.com have the exact config.
Once that’s done, every Suricata alert appears in the Wazuh dashboard alongside endpoint events. Cross-correlation queries become trivial: “show me network alerts for IPs that also had failed-login spikes.”
Step 5: Threat-intel feeds
Wazuh’s CDB lists let you ingest IOC feeds and alert when any matches traffic or process telemetry. Free, useful feeds: URLhaus for malware URLs, FeodoTracker for botnet C2 IPs, ThreatFox for general IOCs. Set them to refresh hourly via cron.
Step 6: Notifications and weekly review
Configure Wazuh to email or post to Discord/Slack on level-12+ alerts only. Lower levels are too noisy for a one-person SOC. Block out 30 minutes every Sunday for a dashboard review, what fired, what was a false positive, what rule needs tuning.
The first month is mostly tuning. By week six you have a stack that detects more than most SMBs that pay $50k a year for a managed product. The skills generalise to any larger SOC role. The peace of mind is real.