Building a Zero-Budget Security Operations Center for an RV DealershipBuilding a Home SOC with Wazuh on Proxmox

This project documents the design, deployment, and ongoing operation of a production Security Operations Center (SOC) built for the RV dealership where I work. My goal was to improve security visibility across the organization’s infrastructure by centralizing logs from Windows systems, Linux servers, Microsoft 365, and network devices into a single monitoring platform. Working with a zero-dollar hardware budget, I repurposed a nine-year-old Dell OptiPlex, deployed Wazuh on Ubuntu Server, and later virtualized the environment with Proxmox to improve reliability, simplify backups, and support long-term maintenance.

Today, the platform remains in daily use, providing centralized monitoring, automated vulnerability reporting, and security notifications—including VPN login activity—that help support day-to-day IT operations and strengthen the organization’s overall security posture.

Project Snapshot

Project TypeProduction Security Operations Center (SOC)
OrganizationRV Dealership
Primary SIEMWazuh
Operating SystemUbuntu Server LTS
Virtualization PlatformProxmox VE
Host HardwareRepurposed 9-year-old Dell OptiPlex
Budget$0 (Repurposed hardware and open-source software)
Monitored SystemsWindows workstations, Windows Server, Linux servers
Integrated ServicesMicrosoft 365, Active Directory, FortiGate Firewall, Zeek
Current StatusProduction environment in daily use

Business Challenge

The RV dealership’s IT environment consists of Windows workstations, Windows Server, Active Directory, Microsoft 365, Linux servers, and FortiGate firewalls. Each of these systems generates valuable security and operational data, but before this project there was no centralized platform for collecting, correlating, and analyzing those events.

When troubleshooting an issue or investigating suspicious activity, information had to be gathered from multiple sources. Windows Event Viewer, firewall logs, Microsoft 365 audit records, and Linux system logs all had to be reviewed independently, making it difficult to see the complete picture of what was happening across the environment.

At the same time, the project had to be completed without purchasing new hardware or additional software licenses. The solution needed to leverage existing Microsoft 365 licensing, open-source technologies, and repurposed hardware while remaining reliable enough to support day-to-day operations.

The goal was to build a centralized Security Operations Center that could provide meaningful visibility into the organization’s infrastructure, improve incident response, simplify troubleshooting, and support proactive security monitoring—all while operating within a zero-dollar hardware budget.

Project Objectives

Before selecting technologies or deploying servers, I established a clear set of objectives for the project. The goal was not simply to install a SIEM, but to create a practical security monitoring platform that would provide immediate value while serving as a foundation for future improvements.

The project objectives were to:

  • Centralize security logs from Windows, Linux, Microsoft 365, and network devices.
  • Improve visibility into authentication activity, endpoint events, and network traffic.
  • Receive automated notifications for security events, including VPN logins and vulnerability reports.
  • Reduce the time required to investigate incidents by correlating events from multiple systems.
  • Build a solution using repurposed hardware and open-source software to eliminate additional infrastructure costs.
  • Virtualize the environment to simplify backups, maintenance, and disaster recovery.
  • Create a scalable platform capable of integrating additional technologies as the environment evolves.
  • Gain practical, hands-on experience designing, deploying, and operating a production Security Operations Center.

These objectives guided every major decision throughout the project and ensured that each new capability delivered measurable value to the organization rather than simply adding another technology to the environment.

                           Microsoft 365
                                 │
                                 ▼
+----------------+      +------------------+      +------------------+
| Windows PCs    |----->|                  |<-----|  Linux Servers   |
+----------------+      |                  |      +------------------+
                        |      Wazuh       |
+----------------+----->| Manager/Indexer  |<-----+------------------+
| Windows Server |      |    Dashboard     |      | FortiGate        |
| Active Dir.    |      |                  |      +------------------+
+----------------+      +------------------+
                                 ▲
                                 │
                          +--------------+
                          |     Zeek     |
                          +--------------+
                                 │
                                 ▼
                     Email Alerts & Dashboards
                   • Vulnerability Reports
                   • VPN Login Notifications
                   • Security Monitoring

Solution Overview

The solution was designed around a centralized architecture that collects security events from endpoints, servers, cloud services, and network infrastructure into a single platform for analysis. Rather than relying on individual management consoles and log files, Wazuh became the primary source for monitoring, correlation, and investigation.

The initial deployment was built on Ubuntu Server using repurposed hardware, providing a stable foundation for the Wazuh Manager, Indexer, and Dashboard. As the environment expanded, additional integrations—including Active Directory, Microsoft 365, FortiGate, and Zeek—were incorporated to increase visibility across the organization’s infrastructure.

To improve resilience and simplify maintenance, the platform was later migrated to Proxmox. Virtualization introduced snapshot capability, simplified backups, and provided greater flexibility for future upgrades while preserving the production environment.

Building the Foundation

With the project objectives established, the next step was selecting a platform that could deliver enterprise capabilities while staying within the project’s zero-dollar budget. Rather than purchasing new equipment, I repurposed a nine-year-old Dell OptiPlex that had been retired from production. Although no longer suitable as a primary workstation, it still offered more than enough performance to host a modern security monitoring platform.

Ubuntu Server LTS was selected as the operating system because of its stability, long-term support, and extensive documentation. Its broad community support and compatibility with Wazuh made it a practical choice for a production deployment.

The initial environment was deployed directly on physical hardware to establish a stable baseline. Once the operating system was configured with a static IP address, secure remote administration, and system updates, Wazuh was installed and validated. This provided the core services required to begin onboarding systems and collecting security events.

Rather than attempting to integrate every data source immediately, the platform was built incrementally. Each new capability was added only after the previous one had been validated, creating a stable foundation that could be expanded over time.

Expanding Visibility

With the Wazuh platform operational, the focus shifted to increasing visibility across the organization’s infrastructure. Windows workstations, Windows Server, and Linux systems were enrolled as managed endpoints, allowing security events to be collected and analyzed from a centralized location.

As additional systems were onboarded, the value of centralized logging became increasingly apparent. Authentication events, application logs, system changes, and endpoint activity could now be viewed together rather than investigated individually on each device.

To improve usability, custom rules and alert tuning were introduced to reduce unnecessary noise and highlight events that required attention. Instead of generating large volumes of generic alerts, the platform evolved into a more focused monitoring solution capable of surfacing meaningful security events while minimizing false positives.

Integrating Cloud and Network Security

After endpoint monitoring was established, the project expanded beyond traditional operating system logs. Microsoft 365 was integrated to provide visibility into cloud-based activity, while FortiGate firewall logs and Zeek network telemetry added insight into network communications and perimeter events.

Bringing these technologies together created a more complete view of the environment. Rather than examining isolated logs from individual platforms, related events could be investigated within a single interface, making it easier to understand how activity on one system related to another.

This stage of the project also required troubleshooting authentication, permissions, log ingestion, and configuration challenges. Solving those issues proved just as valuable as the successful integrations themselves, reinforcing the importance of understanding how each technology fits into a broader security architecture.

From Physical to Virtual

As the environment matured, virtualization became the logical next step. The Wazuh deployment was migrated from physical hardware to Proxmox, allowing the platform to benefit from virtual machine snapshots, simplified backups, improved resource management, and easier recovery during maintenance or upgrades.

The migration also created a more flexible environment for future growth. New services could be deployed as virtual machines without requiring additional hardware, making it easier to expand the platform while continuing to operate within the project’s original budget constraints.

Moving to Proxmox transformed the project from a standalone server into a maintainable infrastructure platform capable of supporting long-term operational needs.

Operational Results

The completed platform is now used as part of day-to-day IT operations at the RV dealership. Centralized monitoring provides improved visibility across Windows systems, Linux servers, Microsoft 365, firewall activity, and network telemetry, allowing security events to be reviewed from a single dashboard.

Automated email notifications deliver scheduled vulnerability reports and alerts for important events such as VPN logins, reducing the need for manual log reviews and improving awareness of activity across the environment.

Beyond security monitoring, the project has also become a valuable operational tool. Centralized logging simplifies troubleshooting, provides historical context during investigations, and supports informed decision-making when responding to system issues or potential security events.

Lessons Learned

This project reinforced that deploying a SIEM is only the beginning. The greatest value comes from continuously refining the platform through alert tuning, integrating additional data sources, improving operational workflows, and maintaining the environment over time.

Working through configuration challenges, infrastructure migrations, and production troubleshooting provided experience that cannot be gained from installation guides alone. Every obstacle improved my understanding of Linux administration, virtualization, security monitoring, authentication, and enterprise infrastructure design.

Perhaps the most important lesson was that meaningful cybersecurity improvements do not always require significant financial investment. By combining repurposed hardware, open-source software, and existing organizational resources, it was possible to build a production Security Operations Center that continues to deliver measurable value without increasing infrastructure costs.

Technologies Used

  • Wazuh
  • Ubuntu Server LTS
  • Proxmox VE
  • Microsoft 365
  • Active Directory
  • Windows Server
  • Windows 11
  • Linux
  • FortiGate Firewall
  • Zeek
  • LDAP
  • SSH

Related Articles

Future Documentation

This project is supported by a growing collection of technical articles that document the individual components and lessons learned throughout the deployment. As these guides are completed, they will be linked here.

Planned topics include:

  • Installing Wazuh on Ubuntu Server
  • Deploying Windows and Linux Agents
  • Integrating Microsoft 365 with Wazuh
  • Collecting FortiGate Firewall Logs
  • Deploying Zeek for Network Visibility
  • Virtualizing Wazuh with Proxmox
  • Creating Custom Detection Rules
  • Backup and Disaster Recovery
  • Maintaining a Production Wazuh Environment

Conclusion

Building this Security Operations Center was far more than an exercise in installing software. It was an opportunity to design, deploy, operate, and continuously improve a production security monitoring platform that supports a real business environment. By combining open-source technologies, repurposed hardware, and careful planning, the project demonstrates that enterprise-style security capabilities can be achieved without a large infrastructure budget while providing lasting operational value.

Similar Posts