Public SSH Honeypot with On-Prem Wazuh SIEM
A public-facing SSH honeypot deployed on a Vultr VPS to capture real attacker activity, forward Cowrie JSON logs into an on-prem Wazuh manager, and build a dashboard for investigation. The project combines cloud exposure, private tunnelling, VLAN segmentation, firewall controls, custom Wazuh rules, and SIEM visualisation to create a lean, controlled honeypot architecture inspired by larger platforms like T-Pot.
A practical walkthrough of the honeypot architecture, Cowrie setup, Wazuh log ingestion, dashboard panels, and examples of captured attacker activity.
Full written breakdown covering the project goal, architecture, configuration, log pipeline, Wazuh rules, dashboard design, testing, and lessons learned.