Ollama + APIs: My First Real AI Integration

I have used AI tools before. But this post is about the first time I actually integrated AI into an app and felt the whole thing click.
Not just “ask a model a question.” I mean an API that uses a model and does something useful with it.

The two pieces that made it real for me:

• Ollama for local models
• APIs to make the AI actually useful inside a system

This is not a step-by-step tutorial. It is a learning story, what worked, what broke, and how it finally came together.

Why Ollama?

I wanted something local, fast, and easy to swap models without rebuilding my entire app.

Ollama gave me:

• Local inference without a monthly bill
• Simple model switching
• A clean REST API I could hit from anything

Bonus: If you are already building tooling or demos, having the model local means you control latency, limits, and privacy.

I know there are solid commercial options too: AWS Bedrock, Azure OpenAI, OpenAI’s APIs, Anthropic, and more. Those are great when you need scale, managed infra, or compliance. I picked Ollama for this project because I wanted to learn the integration flow without burning credits, and I wanted full control over the models and the data path. Also because my GPU could actually run it without sounding like a jet engine (for once).

The mental model that helped me

I stopped thinking “chatbot.”
I started thinking “AI as a function in a system.”

Your API takes inputs, runs logic, calls Ollama, and returns something useful.

That is the entire loop.

Here is a plain example that made it click for me:

• Input: raw log snippet + a short user question
• API: adds context (service name, environment, expected format)
• Output: a clean JSON response I can actually use in an app

For example, instead of asking a vague question, I pass a tiny contract like this:

1
2
3
4

Role: SOC analyst
Task: Summarize this alert and recommend next steps.
Constraints: No guessing. Use only the provided log.
Output: JSON with keys: summary, severity, next_steps

Now I can plug the output into a UI, ticket, or report without manual cleanup.

Minimal setup I used

• Ollama running locally
• A tiny Python API
• requests to call the model endpoint
• JSON response back to the client

Start Ollama

I run it as a systemd service instead of launching it manually.

1

sudo systemctl enable --now ollama

Pull a model:

1

ollama pull llama3

Run a quick test:

1

ollama run llama3

The API call (this is the moment it clicked)

Ollama exposes a simple API. You just POST a prompt.

1
2
3
4

curl http://localhost:11434/api/generate -d '{
  "model": "llama3",
  "prompt": "Explain NAT like I am debugging a reverse shell."
}'

It returns a stream of JSON. If you want a single response, add:

1

"stream": false

My tiny Python API (trimmed down)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

from flask import Flask, request, jsonify
import requests

app = Flask(__name__)

@app.post("/ask")
def ask():
    payload = request.get_json(silent=True) or {}
    prompt = payload.get("prompt")
    if not prompt:
        return jsonify({"error": "Missing prompt"}), 400

    response = requests.post(
        "http://localhost:11434/api/generate",
        json={
            "model": "llama3",
            "prompt": prompt,
            "stream": False
        },
        timeout=60
    )
    data = response.json()
    return jsonify({"answer": data.get("response", "")})

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=3000, debug=False)

Now you have a real API endpoint that uses AI.
No magic. Just a normal service that happens to be powered by a model.

Why Structure Matters

Here is a quick before/after that shows why structure matters:

Before (messy):

1

Explain this log and tell me what to do.

After (usable):

1
2
3
4

Role: Incident responder
Task: Summarize this log and list 3 next steps.
Constraints: Keep it under 60 words.
Output: JSON keys: summary, next_steps

Summary Example

Input data (from your system):

1
2
3
4

2025-12-29T08:41:12Z web01 nginx[4132]: 192.0.2.14 - - "POST /login HTTP/1.1" 401 612 "-" "Mozilla/5.0"
2025-12-29T08:41:18Z web01 nginx[4132]: 192.0.2.14 - - "POST /login HTTP/1.1" 401 612 "-" "Mozilla/5.0"
2025-12-29T08:41:24Z web01 nginx[4132]: 192.0.2.14 - - "POST /login HTTP/1.1" 401 612 "-" "Mozilla/5.0"
2025-12-29T08:41:31Z web01 nginx[4132]: 192.0.2.14 - - "POST /login HTTP/1.1" 401 612 "-" "Mozilla/5.0"

Structured prompt you send to Ollama:

1
2
3
4
5
6
7
8

Role: Security analyst
Task: Summarize the activity and recommend next steps.
Context: These are auth failures on a public web app.
Constraints: No guessing. Use only the log lines. Keep it concise.
Output: JSON with keys: summary, severity, indicators, next_steps

Logs:
<paste logs here>

Why this works:

• The role sets the tone (security analyst, not “creative writer”).
• The context removes ambiguity (auth failures on a public app).
• Constraints reduce hallucination (only log lines).
• The output contract makes the response machine-friendly.

Example response you can actually use:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

{
  "summary": "Four failed login attempts from 192.0.2.14 to /login within 20 seconds.",
  "severity": "low",
  "indicators": ["192.0.2.14", "/login", "401"],
  "next_steps": [
    "Check if the IP repeats across other hosts or time windows.",
    "Review account lockout policy for repeated failures.",
    "Add the IP to a temporary watchlist if failures continue."
  ]
}

Now your API can return this JSON straight into a ticketing system, a dashboard, or a Slack alert without hand-editing.

What I learned the hard way

• You need structure. Raw model text is messy. I started wrapping prompts with output requirements and it got way better.
• Latency matters. Even local models can feel slow if you do not manage prompt size.
• Security is still security. This is still an API. Validate inputs, rate limit, log requests.

AI does not replace good engineering. It just adds a powerful function call in the middle.

Practical use cases I am building next

• Summarize logs into incident notes
• Auto-tag security alerts
• Generate draft incident reports
• Turn raw terminal output into explanations for non-technical teams

These are not “chatbot” tasks. They are workflow tasks.

Final thoughts

This was the first time I felt like AI was not a toy but a real system component.
Ollama made it local and easy. The API made it usable.

If you are learning AI integration, my honest advice is:

• Build something small
• Make it usable
• Then make it smarter

Because once AI becomes an API, you can wire it into anything.

If you want to compare notes or want help debugging your integration, reach out. I am still learning too, and that is the fun part.

This whole thing started because I kept telling myself I would learn ML one day. And one day never comes when you wait for the perfect idea. So I forced myself to build something so stupid simple that I couldn’t run away from it.

Turns out, that worked.

What I wanted to build

I wanted a model that takes a password and predicts whether it is strong or weak based on its structure. Nothing about leaks, entropy, breached databases or cracking times. Just pure structural features, built on Jupyter Notebook.

I kept it simple and picked four things to analyse:

• length
• uppercase letters
• digits
• symbols

The idea was to convert each password into a set of numerical features like:

length, has_uppercase, has_digit, has_symbol

So a password like Abc123!@ becomes something like 8, 1, 1, 1.

Creating rules that didn’t fight me

This was the hardest part. Not the ML. Not the code. Just defining what I believe a strong password is.

At first I made the rule way too strict and then changed it repeatedly. That made the dataset contradictory and the model learned nonsense. Eventually I locked in what actually made sense:

• Password must be at least 8 characters long
• And it must have at least 2 out of these 3:
  • uppercase
  • digit
  • symbol

So something short like 8B$ is weak even though it has good complexity. And something long like averystrongpassword is weak because it has no variety. Finally, the rules aligned with my intuition.

Writing the labeler function

I wrote a tiny function that checks each password and turns it into a 0 or 1 based on the rules.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

def is_strong(pw: str) -> int:  
	length_ok = len(pw) >= 8  
	has_upper = any(c.isupper() for c in pw)  
	has_digit = any(c.isdigit() for c in pw)  
	has_symbol = bool(re.search(r'[^A-Za-z0-9]', pw))
	
	if not length_ok:
	    return 0

	complexity_score = (
	    int(has_upper) +
	    int(has_digit) +
	    int(has_symbol)
	)
	
	return int(complexity_score >= 2)

Once I had this, I relabeled my dataset and everything started behaving predictably.

Turning passwords into features

My extractor function was tiny too:

1
2
3
4
5
6
7

def extract_features(pw):  
	length = len(pw)  
	has_upper = int(any(c.isupper() for c in pw))  
	has_digit = int(any(c.isdigit() for c in pw))  
	has_symbol = int(bool(re.search(r'[^A-Za-z0-9]', pw)))  
	
	return [length, has_upper, has_digit, has_symbol]

This gave me clean numerical data I could feed into scikit learn.

Training the model

After that, the ML part was almost boring. In a good way.

1
2

model = LogisticRegression()  
model.fit(X_train, y_train)

I evaluated it with classification_report and it performed exactly how you’d expect on such a tiny dataset. Not perfect, but good enough to prove that:

• my labels made sense
• my features were consistent
• the model actually learned the pattern instead of memorising random junk

What I learned

Honestly, the biggest lesson wasn’t about ML. It was about myself.

• I overthink everything when I try to learn something new
• Simple models are the best place to start
• Jupyter notebooks make experimentation painless
• ML is not scary once you run a full cycle end to end
• A small dataset is actually a blessing when you’re trying to understand the process

This little password strength classifier is nowhere near real world use cases, but it taught me how ML actually works instead of how it works in theory.

What’s next

I might expand it with more features like:

• checking for dictionary words - because seclists is very beefy
• repeated patterns
• keyboard adjacency
• entropy approximations

But I’ll do it one step at a time. The whole point of this exercise was to stop trying to build the final boss on day one.

And honestly, making this tiny password checker did more for my ML understanding than any tutorial ever has.

Every car hacking tool I have come across required expensive ECUs, adapters or even full test benches. Having worked with test cars before, I got an insight into how time consuming and expensive, if not difficult it is to set a working HIL (Hardware-In-Loop) setup. I didn’t want to wait for hardware to understand how automotive networks behave - I wanted to simulate it.

So, I built my own virtual car hacking network using Linux tools, a bit of Python, and some creative problem solving.

Background

Automotive Cybersecurity is fascinating. Being extremely niche, it isn’t the first thing that comes to mind when someone thinks of cybersecurity. They imagine computers, massive server farms and a network that connects them all. But what is a modern car, if not a network of highly powerful computers, on wheels.

Working with cars as a pentester has had me dealing with security at the intersection of software and hardware - but I wanted to explore the same logic on my own terms.

A vehicle’s network is split into three specific interfaces:

1. CAN (Controller Area Network) - the most widely used
2. LIN (Local Interconnect Network) - for low-speed/low-cost devices
3. Automotive Ethernet (100BASE-T1, 1000BASE-T1, etc.) - higher bandwidth, growing adoption

Infotainment Systems, Sensors, ECUs, they all talk over these buses. Setting these up requires a lot of specialized hardware and software. This includes purchasing an expensive license with the already expensive hardware which is designed to simulate and control such networks. (Yes Vector, I’m talking about you). These tools are brilliant, but they’re practically out of reach when you’re hacking solo and not backed by a corporation.

So: emulate it.

The Idea

If network penetration testers can simulate servers and routers, why can’t car hackers simulate ECUs? After all, ECUs are basically computers that run a specific piece of software or a specific operating system on them, designed to only perform specific tasks.

In a world where we have virtual machines helping us run multiple computers on one, I started brainstorming if it was possible to create ECUs digitally, without all the fancy expensive hardware. What would you possibly need? GPS? Wi-Fi? Bluetooth? A platform to run apps and scripts? A logger? All of this already exists on a standard laptop. The only thing that stood out to me was the communication interfaces. CAN is not used anywhere apart from automotive networks. Neither is LIN or 100Base-T1 (Automotive Ethernet for a reason). This made me research even more. What could possibly help me simulate CAN?

“If there’s a will, there is a way.” ~ some wise person

The Build

After a bit of research, I came across SocketCAN. It’s a Linux kernel subsystem that exposes CAN interfaces like any other network device. Think CAN, but now it runs pretty much anywhere. It allows us to create virtual CAN interfaces on Linux, or connect to physical CAN networks present on an actual car.

It doesn’t have anything to do with what flavour you choose as it is built into the kernel. It is only a matter flipping the switch and enabling it:

1

sudo modprobe vcan

This will help enable the vcan (virtual CAN) interface module.

After this, you can create the virtual CAN interface:

1

sudo ip link add dev vcan0 type vcan

1

sudo ip link set up vcan0

Run this to confirm if you’ve got it:

1

ifconfig

1
2
3
4
5
6

vcan0: flags=193<UP,RUNNING,NOARP>  mtu 72
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And voila! You now have a virtual CAN interface, ready to read and transmit CAN frames.

Sending packets

What’s the point of creating an interface if you’re not going to use it? To send packets on this interface, we have a set of can tools that you can install on pretty much any Linux machine as well.

I use the Blackarch repository on my Arch Linux machine. If you’re on Debian, you can use Kali Linux’s repository for the same. Both of them contain the package we want to install.

Fedora users please don’t come after me

Arch Linux:

1
2

sudo pacman -Syu
sudo pacman -S can-utils # tools for working with CAN

Debian:

1
2

sudo apt-get update && apt-get upgrade
sudo apt-get install can-utils

This will give you access to these tools:

1. candump
2. cansend
3. canplayer
4. cansniffer

…and more.

To send packets on the virtual bus (vcan0), use this command:

1

cansend vcan0 123#AABBCCDDEEFF

If it doesn’t output anything, congratulations! You’ve sent your first CAN frame using Linux!

But… how do we know that it got sent? We can use candump, which continuously listens for any CAN messages being transmitted on the bus you specify to it as an argument.

1

candump vcan0

While this is running, send the example CAN frame with cansend from another terminal again. This time, you’ll see it pop up on the listener as a properly formatted CAN frame:

1

vcan0  123   [6]  AA BB CC DD EE FF

Brilliant. You’ve now mastered the art of sending CAN frames on a bus using Linux, and only Linux.

What makes this fun is you can also build your own custom logger and transmitter using Python, with the python-can library. It can both send and listen for CAN frames on any CAN interface.

Here’s one if you want to try it out:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

#!/usr/bin/env python3
import can
import time
import threading

def receiver(bus):
    """Receive and print CAN messages."""
    print("[Receiver] Listening for CAN messages...")
    for msg in bus:
        print(f"[Received] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")

def sender(bus):
    """Send CAN messages periodically."""
    print("[Sender] Starting message transmission...")
    msg = can.Message(arbitration_id=0x123, data=[0x11, 0x22, 0x33, 0x44], is_extended_id=False)
    while True:
        try:
            bus.send(msg)
            print(f"[Sent] ID: {msg.arbitration_id:#04x}, Data: {msg.data.hex().upper()}")
            time.sleep(1)
        except can.CanError:
            print("[Error] Message not sent")

def main():
    # Connect to virtual CAN interface
    bus = can.interface.Bus(channel="vcan0", bustype="socketcan")

    # Start receiver in background thread
    recv_thread = threading.Thread(target=receiver, args=(bus,), daemon=True)
    recv_thread.start()

    # Start sending messages
    sender(bus)

if __name__ == "__main__":
    main()

This simple program lets you prototype virtual ECUs that send/receive frames — perfect for building test scenarios.

Reflection

My reflection on this piece of work includes this:

1. If I create ECUs built on either C or C++, using the same logic that a standard ECU would, I could have it generate CAN frames for specific functions and accept CAN frames to perform specific functions. This completely virtualizes the test bench and makes it portable.
2. The presence of Python (python-can) allows us to craft custom CAN packets, which opens doors to creating a fuzzer that mutates CAN frames randomly.
3. All of this put together gives us a basic, but robust virtual car, which can be used to practice pentesting and diagnostics(Enter, UDS).
4. I can safely test security features without messing with actual hardware(did I tell you it was very expensive?).
5. I can practice IDS detection in Wazuh or Suricata by integrating the CAN logs.
6. Train myself and others without physical ECUs.

Hacking isn’t about fancy gear. It’s about creativity. By virtualizing this challenge, I learned more about CAN networks, Linux Networking, and the hacker mindset in itself.

If you are into automotive cybersecurity but don’t know where to start, start by simulating - the best labs are the ones you build yourself.

What’s Next?

1. Create an instrument cluster/infotainment system next and connect it to my virtual network to simulate a more complete in-vehicle setup.
2. Setup UDS (Unified Diagnostics Services) request/response handling in a virtual ECU

Thanks for reading — I’ll keep posting updates as I build the next pieces (infotainment mock, UDS handlers, and a tiny fuzzer). If you want the example scripts or a reproducible repo structure, tell me and I’ll publish them on GitHub.

So, you wanna be a hacker?

Cool. I did too. I jumped into Kali, sprayed tools, and followed tutorials like a robot. Things worked, but I could not explain why. That was my first big lesson: without networking, most of security looks like magic. No magic here. Just packets, addresses, ports, and paths.

The moment it clicked

I kept asking myself:

• Why does a reverse shell call me back and not the other way around?
• What does netstat -tunlp actually show me?
• Why does ping sometimes fail even though the server is up?

The answer was not a broken tool. It was me not understanding the path the packets had to travel.

Learn these first

These are the pieces that changed my life in pentests and CTFs.

🔌 The OSI model

Think of it as a map. If you know the layer, you know where to debug.
If you want to explore it in depth, check out:

• Cisco OSI Model Overview
• Packet Traveling Series by Practical Networking

Real world hints by layer:

• L1 Physical - bad cable, wrong interface, Wi-Fi channel noise. If link lights are off, stop blaming the firewall.
• L2 Data Link - ARP and MAC. ARP spoofing lives here. If you see duplicate IP warnings, check the ARP table with ip neigh.
• L3 Network - IP and routing. If 192.168.1.10 cannot reach 192.168.2.10, you likely need a router or a route.
• L4 Transport - TCP vs UDP. TCP handshake fails means no state created on the server. SYNs leaving but no SYN ACK returning usually means a path or filter issue.
• L5 Session - long lived connections. If a VPN drops every 30 minutes, look for session timers.
• L6 Presentation - certs and encodings. TLS errors like unsupported protocol live here.
• L7 Application - HTTP, DNS over HTTPS, SMTP. If the app returns 200 but nothing changes, it is probably an app logic bug, not the network.

🌐 IP addressing and subnetting

You do not need to be a human subnet calculator. You do need to know:

• Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
• What a mask does. /24 means 256 addresses, /25 splits that in half.
• Simple test: put one VM on 192.168.1.10/24 and another on 192.168.2.10/24. They will not ping without a router. Add a route and watch it work.

Want to practice subnetting?

• Subnetting Made Easy
• Subnetting Practice Game

🚪 Ports and protocols that actually matter

Quick cheats you will use daily:

• 22 SSH - remote shell. If login hangs after password, suspect TCP filtering or AllowUsers policy before you blame credentials.
• 80/443 HTTP/S - everything from health checks to C2 beacons rides here. Proxies often rewrite requests. Capture and compare.
• 53 DNS - resolution issues look like random failures. Test with dig @resolver_ip example.com to bypass system DNS.
• 445 SMB - Windows auth and file shares. If smbclient fails only on large files, think MTU or signing.

More:

• IANA Service Name and Transport Protocol Port Number Registry

📦 Packet flow and basic tools

Tools I use in order when something breaks:

1. ping to test reachability. If ICMP is blocked, move on.
2. traceroute to see the path. Sudden star means a filter or NAT.
3. ss -tulnp or netstat -tunlp to list listeners.
4. tcpdump -nni eth0 port 443 to confirm packets leave and return.
5. Wireshark for the story behind the packets.

🔥 NAT, DHCP, DNS, routing

This is the unsexy part that makes everything work.

• NAT hides private hosts. Reverse shells fail a lot here. Use a listener on a port allowed outbound.
• DHCP gives IPs. If two boxes fight for the same address, the lease server is probably duplicated or mis-scoped.
• DNS is the phonebook. If a domain resolves to different IPs than you expect, check split horizon and hosts files.
• Routing decides the next hop. Wrong default gateway is the classic silent killer.

Learn more:

• NAT Explained – IPCisco
• How DHCP Works – Microsoft Learn
• DNS in detail – Cloudflare Learning

Learn stack without pain

What helped me when I started:

• TryHackMe Network Fundamentals module – hands-on labs.
• Professor Messer Network+ videos – structured theory.
• Packet Tracer or GNS3 – virtual routers/switches without real gear.
• Wireshark – see the truth on the wire.

If you are on Linux, make nmap, netcat, ip, and ss part of your daily toolkit.

What to do right after reading (Practical Exercises)

1. Capture your browser loading a site in Wireshark and find the three-way handshake.
2. Split 192.168.1.0/24 into two /25s. Put two VMs on different halves and make them ping using a router VM.
3. Run ss -tulnp then open a new nc -lvp 4444 listener and watch the new entry appear.

Why this matters in real attacks

When you understand networking:

• ARP spoofing, DNS poisoning, and MITM are not tricks. They are predictable outcomes you can detect and block.
• You stop pasting scripts and start fixing root causes.
• You can explain failures to a client in plain English and get them fixed the same day.

Final words

Networking is not flashy, but it is the floor under your feet. Build it solid now and future you will move faster, break less, and spend more time popping shells than debugging routes.

If you are stuck, tell me what you tried and what you saw on the wire. I will help you untangle it step by step.

My First Wi-Fi Pentest

There’s a massive difference between watching pentesting videos and actually doing it. This was my first time seriously trying Wi-Fi pentesting, and it was a mix of pure excitement, a bunch of silly mistakes, and that one moment of “YES! It finally worked.”

Disclaimer: This is just my story, not a tutorial. Everything I did was on my own network. Don’t go around trying this on random Wi-Fi unless you like the idea of explaining yourself to law enforcement.

Gearing Up

My setup was simple – my Arch Linux laptop, an Alfa adapter, and the Aircrack-ng suite.

At this point, I was overconfident. In my head, it was just: “Enable monitor mode, grab handshake, crack password. Done.”

Spoiler: life doesn’t work that way.

Where I Fell Flat

The very first thing I did? I forgot to disable all the services that fight you for control of the adapter.
Result: Warnings everywhere, services kept messing with monitor mode.

Once I figured that out, things finally started looking cool. My terminal was scrolling with access points like some cyberpunk movie scene.

The “Why Is Nothing Happening?” Phase

I locked onto my target, sat back, and… nothing. No handshake.

Turns out, distance does matter. I was sitting too far from the router like some wannabe hacker in a corner. Moving closer fixed everything, and that glorious “Handshake captured!” message finally appeared.

The Brutal Reality Check

Cracking it? Yeah, that part didn’t happen. My wordlist didn’t have the password (because of course it didn’t). Turns out a 14 million password wordlist doesn’t contain the password from all over the universe. (because of course it doesn’t).

But honestly, just getting that handshake felt like a small win. I’d done the whole process myself and figured out where I’d gone wrong.

Lessons Learned

• The tools are just tools. Knowing how to troubleshoot when things fail is the real skill.
• Proximity is underrated. Sitting 10 feet further might be the difference between success and nothing happening.
• Wordlists are everything. A bad one means hours of wasted time.
• There are certainly other methods of “getting passwords” from your target other than using wordlists *wink* (will cover this in the future)

Why I’m Glad I Did It Manually

I could’ve just used Airgeddon or some automated script, but figuring it out command by command taught me why things work, not just how to click buttons.

Next up? I’ll see if I can get Airgeddon to make my life easier without making me lazy.

This wasn’t some cinematic “Hollywood hacking” moment. It was messy, frustrating, and way less glamorous than it looks online. But that’s what made it fun.

The real flex isn’t showing commands – it’s showing that you understand what’s happening under the hood and can figure things out when they go wrong.

Setting up a SIEM (Security Information and Event Management) system might sound intimidating if you’re just getting started, but it’s a rewarding project that gives you real insight into how cybersecurity professionals monitor and detect threats. I recently built a Wazuh-based SIEM entirely with Docker and connected my personal Linux workstation as an agent. In this post, I’ll walk you through the process with practical commands for both Arch Linux and Debian users.

Wazuh started as a fork of OSSEC, one of the first open-source host-based intrusion detection systems, but has evolved into a full-blown security platform with log analysis, vulnerability detection, and compliance monitoring.

System Overview

Here’s what I used:

• Host OS: Arch Linux (but I include Debian commands too, since many readers might be on either)
• Deployment method: Docker (because containers make complex stacks easier to manage)
• Architecture: Single-node setup running Manager, Indexer, and Dashboard on one machine
• Agent: My own Linux workstation
• Use case: Personal monitoring and vulnerability detection in a home lab

Step 1: Installing Docker and Docker Compose

Before we get started, make sure Docker is installed and running. If you don’t have it, here’s how:

On Arch Linux:

1
2
3
4

sudo pacman -S docker docker-compose
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker

On Debian or Ubuntu:

1
2
3
4
5

sudo apt update
sudo apt install docker.io docker-compose
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker

Docker was originally released in 2013 and revolutionized how developers package and deploy applications. Today, it’s an essential tool in cybersecurity labs for simulating complex environments quickly.

Step 2: Cloning the Wazuh Docker Repository

Wazuh maintains an official Docker repository with all the configurations needed for different deployments. Grab the single-node setup like this:

1
2

git clone https://github.com/wazuh/wazuh-docker -b v4.12.0
cd wazuh-docker/single-node

Step 3: Generating SSL Certificates

To secure communication between the components, you’ll need to generate SSL certificates. First, create the directory:

1

mkdir -p config/wazuh_indexer_ssl_certs/

Next, create the configuration files. Here’s the config/certs.yml file content:

1
2
3
4
5
6
7

nodes:
  - name: wazuh.indexer
    type: indexer
  - name: wazuh.manager
    type: manager
  - name: wazuh.dashboard
    type: dashboard

And the generate-indexer-certs.yml file:

1
2
3
4
5
6
7
8

version: '3.3'
services:
  generator:
    image: wazuh/wazuh-certs-generator:0.0.2
    hostname: wazuh-certs-generator
    volumes:
      - ./config/wazuh_indexer_ssl_certs/:/certificates/
      - ./config/certs.yml:/config/certs.yml

Then run:

1

docker-compose -f generate-indexer-certs.yml run --rm generator

If you get errors about overwriting files, just clear the folder and try again:

1
2

rm -rf config/wazuh_indexer_ssl_certs/*
docker-compose -f generate-indexer-certs.yml run --rm generator

Step 4: Starting the Wazuh Stack

With everything set, launch the whole Wazuh environment:

1

docker-compose up -d

This will bring up the manager, indexer, and dashboard.

Step 5: Accessing the Web Dashboard

Open your browser and head to:

1

https://<your-server-ip>

This would be localhost if you’re setting it up locally.

The default login credentials are:

• Username: admin
• Password: SecretPassword (or check the .env file in the repo)

Expect a warning about the self-signed certificate. This is normal. You can safely proceed for now.

Adding Your Own Machine as an Agent

Wazuh’s strength lies in monitoring endpoints. I connected my Arch Linux workstation as an agent, but these steps work the same on Debian.

Download and install the agent:

1
2
3
4

curl -sO https://packages.wazuh.com/4.12/wazuh-agent-4.12.0-linux-x86_64.tar.gz
tar -xvzf wazuh-agent-4.12.0-linux-x86_64.tar.gz
cd wazuh-agent-4.12.0
sudo ./install.sh

Register the agent with the manager:

1
2

sudo /var/ossec/bin/agent-auth -m <wazuh-manager-ip>
sudo systemctl enable --now wazuh-agent

After a short while, your agent will show up in the dashboard, forwarding logs and security events.

The first version of Wazuh was released in 2015, and it has since become one of the most widely used open-source security platforms worldwide.

You’re now done! You should be able to explore the dashboard and learn all the features Wazuh has to offer.

Real-World Detection: CVE-2025-4598

Shortly after getting everything running, Wazuh’s Vulnerability Detector flagged a real systemd vulnerability on my machine (CVE-2025-4598). This was a practical example of how such tools help spot risks before attackers do.

Don’t worry, I patched it right away. Wouldn’t want to make it too easy for you hackers, right?

Why This Matters

Setting this up wasn’t just an academic exercise. I now have a hands-on understanding of log collection, normalization, and alerting. In fields like automotive cybersecurity, knowing what’s happening on endpoints and spotting anomalies early is crucial—and this kind of setup lets you practice those skills.

What’s Next?

Here are some things you can try for yourself now that you’ve got the hang of setting it up:

• Crafting custom detection rules tailored to your environment
• Simulating attacks to validate your alerts
• Adding Windows or other OS agents
• Expanding to multi-node deployments for scalability

Final Thoughts

Wazuh is a fantastic project for anyone looking to deepen their cybersecurity skills. Using Docker simplifies the setup, and the dashboard delivers meaningful insights out of the box. Whether you’re a beginner or an experienced professional, experimenting with Wazuh builds a solid foundation for real-world security monitoring.

Thanks for reading! Feel free to reach out if you want to discuss or share your own setups.

Hello, and thank you for visiting my blog!

I’m Arsh Imtiaz — a cybersecurity professional passionate about ethical hacking, information security, and continuous learning in the ever-evolving world of technology.

About This Blog

This space is dedicated to sharing insights, experiences, and practical knowledge related to cybersecurity and ethical hacking. Here, you’ll find:

• Technical write-ups and tutorials covering various tools, techniques, and challenges.
• Personal reflections on projects, learning journeys, and industry trends.
• CTF walkthroughs and writeups from platforms like TryHackMe and HackTheBox.
• Occasional commentary on broader tech topics, aimed at both beginners and professionals.

Why I Created This Blog

I launched this blog to document my professional journey, share knowledge with the community, and foster connections with fellow security enthusiasts. Whether you’re just starting out or looking to deepen your skills, I hope you find something valuable here.

Commitment to authenticity

All posts on this blog are 100% original and personally written by me. I do not use AI-generated content as I believe the value of this blog lies in geniune experience, hands-on learning and authentic sharing.

What to Expect

Future posts will include:

• Clear, beginner-friendly guides designed to demystify cybersecurity concepts.
• In-depth analyses of vulnerabilities, exploits, and defensive strategies.
• Updates on relevant industry news and tools.
• A touch of humor and real-world anecdotes to keep things engaging.

Thank you for visiting my blog. If you’ve come here from LinkedIn or another professional network, I appreciate you taking the time to explore my work. This space is dedicated to sharing practical insights and experiences in cybersecurity, with a focus on ethical hacking and responsible research. Feel free to connect or reach out—I’m always open to meaningful discussions and collaboration.