Proxmox Lab: SIEM Environment

Project Tree / Roadmap

• Environment Setup
  • Install Proxmox & Node
  • Non-root Admin (secadmin@pve)
  • Virtual Networking (vmbr0 / vmbr1)
• Deployment of the VM for the Wazuh Environment
  • Ubuntu VM Deployment
  • SIEM VM Network Configuration
  • Wazuh GPG Key Import – Fix
• Wazuh server installation & configuration
• Wazuh Agents Deployment
• Monitoring & Detections (coming soon)

Environment Setup

Host: Spare laptop • Hypervisor: Proxmox VE

Initial install completed with base configuration for network, storage, and web GUI access.

Install Proxmox & Node

• Node generated automatically as pve01 upon Proxmox installation
• Storage: local (pve01), local-lvm (pve01)
• ISO uploaded: ubuntu-24.04.3-live-server-amd64.iso

Non-root Administrative User (Least Privilege)

Objective

Create a non-root administrative user secadmin@pve for daily management tasks, following least-privilege practices.

Steps

1. Create User
   Path: Datacenter → Permissions → Users → Add
   Params: Username secadmin • Realm pve • Enabled ✅ • Strong password set.
   Result: secadmin@pve created.
2. Assign Role (ACL)
   Path: Datacenter → Permissions → Add → User Permission
   Params: Path / (cluster-wide) • User secadmin@pve • Role PVEAdmin (VM/storage/network mgmt; not root host control).
   Result: Cluster-wide PVEAdmin rights.
3. Verification
   Logged out and back in as secadmin@pve; confirmed ability to manage VMs, storage, networks.

System-Level Note

• Operations like creating network bridges require root privileges.
• vmbr1 was created as root@pam; routine management performed as secadmin@pve.

Virtual Networking

Objective

Simulate a corporate environment with bridges:

• vmbr0: Management + Internet (home LAN)
• vmbr1: Isolated internal lab network

Steps

1. Verify Existing Network
   Host NIC: enp3s0 (wired).
   vmbr0 bound to enp3s0, IP 192.168.2.10/24.
2. Create Internal Bridge (vmbr1)
   As root@pam: Path Datacenter → pve01 → System → Network → Create → Linux Bridge.
   Params: Name vmbr1 • Bridge ports: empty • IPv4/CIDR: empty • Autostart ✅.
   Result: vmbr1 created, Active = Yes.

Network Design

• vmbr0: Proxmox management, Internet access for VMs, Wazuh dashboard reachable from LAN.
• vmbr1: Isolated segment for endpoints (Windows/Linux/Kali). Only SIEM VM is dual-homed (vmbr0 + vmbr1).

Deployment of the VM for the Wazuh Environment

Base VM to host the Wazuh SIEM (VM 100).

Ubuntu VM Deployment

1. ISO: Ubuntu Server 22.04 LTS uploaded to local → ISO Images.
2. Create VM: Path Datacenter → pve01 → Create VM
   VM ID 101 • Name wazuh-siem • OS: Linux (ubuntu-22.04-server.iso)
   System: BIOS SeaBIOS, Machine i440fx, SCSI Ctrl VirtIO SCSI single
   Disk: 80 GB VirtIO on local-lvm • CPU: 2 cores • RAM: 6 GB
   NICs: NIC1 → vmbr0 (LAN/Internet), NIC2 → vmbr1 (added post-install).
3. Ubuntu Install: Defaults for locale/storage; NIC1 DHCP; NIC2 unconfigured; created user with strong password; installed OpenSSH Server; skipped snaps.

SIEM VM Network Configuration

Objective

Dual-home the SIEM:

• ens18 (vmbr0) → LAN via DHCP
• ens19 (vmbr1) → Static IP for lab

Steps

1. Verify Interfaces

   ip a

   ens18: DHCP lease 192.168.2.155/24; ens19: DOWN, no IP.

2. Netplan Config

   sudo nano /etc/netplan/01-netcfg.yaml

   network:
     version: 2
     ethernets:
       ens18:        # LAN NIC (vmbr0)
         dhcp4: true
       ens19:        # Lab NIC (vmbr1)
         addresses:
           - 10.10.10.1/24
   

3. Apply & Verify

   sudo netplan apply
   ip a

   ens18: DHCP 192.168.2.x; ens19: static 10.10.10.1/24.

Notes

• LAN access to Wazuh dashboard via ens18.
• Lab endpoints will use 10.10.10.0/24 via ens19.
• Dual-homing keeps lab isolated yet manageable.

Wazuh GPG Key Import – Error & Fix

The GPG key is required so that apt can verify packages from the Wazuh repository are authentic and trusted before installation.

Objective

Place Wazuh GPG key at /usr/share/keyrings/wazuh.gpg prior to repo setup.

Issue

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && \
chmod 644 /usr/share/keyrings/wazuh.gpg

gpg: failed to create temporary file '/usr/share/keyrings/...': Permission denied
gpg: keyblock resource '/usr/share/keyrings/wazuh.gpg': Permission denied
gpg: no writable keyring found: Not found
gpg: import from [stdin] failed: General error
gpg: Total number processed: 0

Root Cause

gpg invoked with sudo but keyring write bypassed root; cannot write under /usr/share/keyrings/.

Resolution

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor | sudo tee /usr/share/keyrings/wazuh.gpg > /dev/null
sudo chmod 644 /usr/share/keyrings/wazuh.gpg

Using tee under sudo ensures the file is written with root privileges, avoiding the redirection permission issue.

We then discard what would be written to the console with > /dev/null

Verification

ls -l /usr/share/keyrings/wazuh.gpg
# -rw-r--r-- 1 root root <size> /usr/share/keyrings/wazuh.gpg

Notes

• One-liner from docs may fail on Ubuntu 22.04 due to stricter GPG/keyring handling.
• Using tee is a reliable cross-version fix.

Next Up

• Wazuh server installation & configuration
• Agent deployment: Linux
• Log routing, dashboards, and detections (coming soon)