Deep Dive — Log Hardening in the Homelab (Wazuh + Sysmon + GPO)

After building the WebPanel and deploying the SIEM in my homelab, the next natural step was improving log quality.

A SIEM without rich telemetry gives limited visibility.

This deep dive shows how I enriched log telemetry

Goal of Log Hardening

By default, Windows generates very limited security telemetry.

Examples of what is not enabled by default:

  • Detailed process creation
  • Command line logging
  • User creation visibility
  • Persistence activity
  • Lateral movement indicators
  • Service creation
  • Full PowerShell logging

Without hardening, the SIEM is basically blind.

Goals of this phase:

  • Centralize logs into Wazuh
  • Enrich Windows telemetry
  • Standardize mass deployment via GPO
  • Prepare the environment for detection testing

Environment Architecture

Domain lab components:

  • Domain Controller
  • Windows client machine
  • Wazuh Server (SIEM)
  • SYSVOL shared folder for automated deployment

Final pipeline:

Windows Hosts → Sysmon + Windows Logs → Wazuh Agent → Wazuh Server → Dashboard

Step 1 — Initial Problem

After installing the Wazuh agent, the dashboard showed almost no meaningful events.

This is expected — Windows logs are minimal by default.

Time to start the Log Hardening process.

Step 2 — Why Sysmon Matters

Windows Event Log is focused on administrative auditing.

Sysmon is focused on security telemetry.

It adds critical visibility such as:

It adds critical visibility such as:

  • Process Creation - Detects malware execution
  • Network Connections - Detects beaconing and command-and-control traffic
  • File Creation - Detects droppers and payload staging
  • Registry Changes - Detects persistence mechanisms
  • Service Creation - Detects privilege escalation and lateral movement

Without Sysmon, a SIEM loses ~70% of endpoint visibility.

Step 3 — Mass Deployment via GPO

Manual installation does not scale.

Realistic scenario: 100+ endpoints

Solution: automated deployment via GPO.

Domain share structure

\\domain\SYSVOL\scripts\
 ├── sysmon.exe
 ├── sysmonconfig.xml
 └── install_sysmon.ps1

GPO path:

Computer Configuration
 → Policies
   → Windows Settings
     → Scripts (Startup)

Result:
Every domain machine installs Sysmon automatically at boot.

This step makes the lab much closer to real-world environments.

Step 4 — Windows Audit Policy Hardening

Even with Sysmon, the Windows Security Log remains essential.

Enabled via GPO:

Advanced Audit Policy Configuration

Key categories enabled:

Account Logon / Logoff

  • Logon / Logoff
  • Credential validation
  • Remote logons
  • RDP activity

Account Management

  • User creation
  • Password changes
  • Group membership changes

Object Access

  • File access
  • Registry access

Policy Change

  • Security policy modifications

Privilege Use

  • Administrative privilege usage

This adds visibility into:

  • Suspicious user creation
  • Brute force attempts
  • Privilege escalation
  • Credential abuse

Step 5 — Wazuh Receiving Telemetry

After rebooting the endpoints, new events started appearing in the dashboard.

Events:

  • Process creation
  • Network connections
  • PowerShell activity
  • Logons

Final Result

Before hardening:

  • Few events
  • Limited visibility
  • Dashboard Events mostly empty

After hardening:

  • Rich telemetry
  • Real-time events
  • Detection-ready environment

The SIEM moved from poor logging to rich logging.