Project Case Study

SOC Lab Setup – Proxmox + Wazuh (v1)

I built the foundation of a home SOC lab on a dedicated machine using Proxmox as the hypervisor and Wazuh as the SIEM. The goal was not just to get software installed. It was to build a segmented environment, troubleshoot the infrastructure issues that came up, and end with a working dashboard I can continue expanding with attacker, victim, and detection work.

View PDF Write-Up Back to Projects

Objective

Build a practical SOC lab environment that I can keep expanding over time. Version 1 focused on getting the core infrastructure in place: Proxmox, segmented networking, a Wazuh server, and a working dashboard. The point was to establish a real foundation first instead of trying to overbuild everything at once.

Core stack

  • Proxmox VE on a dedicated custom-built PC
  • Ubuntu Server 24.04 virtual machine for Wazuh
  • Wazuh all-in-one deployment
  • vmbr0 for management and internet access
  • vmbr1 for isolated internal lab traffic

What I built

  • Installed Proxmox directly on bare metal and configured a static management IP.
  • Created a real management bridge and a separate isolated lab bridge.
  • Uploaded the Ubuntu Server ISO into Proxmox storage and created a dedicated Wazuh VM.
  • Configured the Wazuh VM with two network interfaces: one for the lab network and one for internet and dashboard access.
  • Installed the Wazuh manager, indexer, and dashboard successfully.
  • Verified dashboard access from my laptop and logged into the platform successfully.

Issues I had to solve

This part mattered just as much as the final install. The project did not work cleanly on the first try, which made it more useful. I had to troubleshoot the environment the way I would on a real system instead of just following a guide blindly.

  • Proxmox initially landed on the wrong subnet and had to be reconfigured manually.
  • The server setup forced me to switch from a Wi-Fi-only office layout to a proper wired Ethernet connection.
  • The Ubuntu VM interfaces were down until I manually brought them up and corrected the network configuration.
  • DNS issues blocked package downloads and had to be fixed before the Wazuh install could proceed.
  • An older installer download returned XML / AccessDenied instead of a real shell script.
  • Ubuntu 24.04 required bypassing the installer compatibility check with --ignore-check.
  • I initially hit a 401 error because I entered the Wazuh IP incorrectly with the CIDR suffix still attached.

Why this project matters

This project shows more than software installation. It shows that I can work through infrastructure problems, fix networking, verify services, and document what happened clearly. That is the kind of work I want to keep building on as I expand the lab into a fuller SOC environment with monitored endpoints, attack simulation, and incident documentation.

Build Breakdown

Version 1 architecture and process

The lab was designed around a simple structure: one bridge for real access and one bridge for isolated internal traffic. That gives me a clean base to add monitored endpoints and attacker systems next.

Step 1

Proxmox foundation

Installed Proxmox on bare metal, corrected the subnet mismatch, and established a stable wired connection so the hypervisor could function properly as a real server instead of a temporary desktop setup.

Step 2

Network segmentation

Built vmbr0 for management and internet traffic and vmbr1 for the isolated lab. This keeps the project clean and makes later victim and attacker machines easier to separate.

Step 3

Wazuh virtual machine

Created a dedicated Ubuntu Server VM with dual NICs so it could talk to the internal lab while still being reachable for dashboard access and package installation.

Step 4

Troubleshooting and install

Solved NIC, DNS, and installer issues, verified running services, and confirmed that the dashboard was available and usable from the browser.

Evidence

Proof snapshots

These screenshots show the network setup, Ubuntu ISO upload, Wazuh VM hardware configuration, and final Wazuh login and dashboard access.

Proxmox network page showing vmbr0 and vmbr1 bridges configured
Proxmox network configuration with management and isolated lab bridges.
Ubuntu Server ISO uploaded into Proxmox storage
Ubuntu Server ISO uploaded to Proxmox and ready for VM deployment.
Wazuh VM hardware tab showing dual network interfaces
Wazuh VM configured with both vmbr0 and vmbr1 network interfaces.
Wazuh login screen and working dashboard after successful installation
Wazuh login and dashboard access after the installation and networking issues were resolved.

Next Stage

What comes next

Victim machine

Add a monitored Ubuntu endpoint and register it with Wazuh as an agent.

Attacker machine

Deploy a Kali VM inside the isolated network for controlled lab testing.

Detection and reporting

Begin attack simulation, log collection, and incident reporting based on actual lab events.