Parental control with Wazuh, AdGuard and Telegram

As a parent in the digital age, monitoring children’s online activity is essential. Commercial solutions are expensive and opaque. This project implements a complete parental control system using open-source tools: Wazuh as SIEM to collect and analyze events, AdGuard Home for DNS filtering to block inappropriate content, Hayabusa for advanced threat hunting and Telegram for real-time alerts to your phone.

What does this system detect?

Category	Examples
Adult content	Pornography, adult sites
Control evasion	VPN, TOR, Proxy, alternative DNS
Piracy	Torrents, illegal download sites
Gaming	Steam, Fortnite, Roblox, Minecraft
Social networks	TikTok, Discord, Snapchat, Instagram
Night-time use	Activity between 23:00 and 06:00
Excessive use	More than 4–8 hours of use
Security	Antivirus disabled, malware

System architecture

┌─────────────────────────────────────────────────────────────────────┐
│                      CHILDREN'S DEVICES                              │
│   PC-Child-1 (Windows)                 PC-Child-2 (Windows)          │
│   ┌─────────────────────┐            ┌─────────────────────┐         │
│   │ • Wazuh Agent 4.9.2 │            │ • Wazuh Agent 4.9.2 │         │
│   │ • Parental Control   │            │ • Parental Control  │         │
│   │   Script (.ps1)      │            │   Script (.ps1)     │         │
│   │ • Hayabusa           │            │ • Hayabusa          │         │
│   └──────────┬──────────┘            └──────────┬──────────┘         │
│              │    Windows events (1514/tcp)      │                    │
│              └────────────────┬─────────────────┘                    │
│                          DNS (53)                                    │
└───────────────────────────────┼─────────────────────────────────────┘
                                ▼
┌─────────────────────────────────────────────────────────────────────┐
│                        CENTRAL SERVER (Docker Host)                  │
│  ┌──────────────────────┐      ┌──────────────────────┐             │
│  │   WAZUH MANAGER      │      │   ADGUARD HOME       │             │
│  │   • Events, rules    │ cron │   • DNS filtering    │             │
│  │   • Telegram         │ */5m │   • Block lists      │             │
│  │   Ports: 1514,1515,  │      │   • Querylog JSON    │             │
│  │   55000               │      └──────────────────────┘             │
│  └──────────┬───────────┘                                             │
│             │ Alerts level ≥7                                         │
│             ▼                                                         │
│  ┌──────────────────────┐      ┌──────────────────────┐              │
│  │   TELEGRAM BOT       │─────►│   PARENT'S PHONE     │              │
│  └──────────────────────┘      └──────────────────────┘              │
└─────────────────────────────────────────────────────────────────────┘

Components

Server software

Component	Version	Role
Docker	24.x	Containers
Wazuh Manager	4.9.2	SIEM, event analysis
AdGuard Home	Latest	DNS filtering
Python 3	3.x	Integration scripts

Client software

Component	Version	Role
Wazuh Agent	4.9.2	Event reporting
Hayabusa	3.x	Local threat hunting
PowerShell	5.1+	Monitoring scripts

Prerequisites

Server: Linux with Docker; minimum 4GB RAM, 20GB disk; ports 53, 1514, 1515, 55000.

Windows clients: Windows 10/11; PowerShell 5.1+; Administrator rights; connectivity to server.

Server installation

1. Docker Compose for Wazuh Manager

# docker-compose.yml
services:
  wazuh-manager-lite:
    image: wazuh/wazuh-manager:4.9.2
    container_name: wazuh-lite
    ports:
      - "1514:1514/tcp"
      - "1515:1515/tcp"
      - "55000:55000/tcp"
    volumes:
      - ./etc:/var/ossec/etc
      - ./data:/var/ossec/data
    networks:
      - mi-red
    restart: unless-stopped

networks:
  mi-red:
    external: true

docker-compose up -d
docker exec wazuh-lite /var/ossec/bin/wazuh-control status

2. AdGuard Home

# docker-compose-adguard.yml
services:
  adguardhome:
    image: adguard/adguardhome
    container_name: adguardhome
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    volumes:
      - ./adguard/work:/opt/adguardhome/work
      - ./adguard/conf:/opt/adguardhome/conf
    restart: unless-stopped

3. Recommended block lists for AdGuard

In the AdGuard web UI, add these lists:

List	URL
Anti-Porn	`https://raw.githubusercontent.com/4skinSkywalker/Anti-Porn-HOSTS-File/master/HOSTS.txt`
HaGeZi VPN/TOR/Proxy	`https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/doh-vpn-proxy-bypass.txt`
HaGeZi Anti-Piracy	`https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/anti.piracy.txt`
Malware	`https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/tif.txt`

Wazuh Manager configuration

Create a group for Windows agents and use centralized config (agent.conf) to monitor Security, System, Application, PowerShell and Windows Defender event channels, plus FIM on Startup and Run key, and syscollector for inventory. (Full XML is in the Spanish version.)

AdGuard DNS integration

Use a script that reads AdGuard’s querylog.json, filters by children’s IPs, and appends JSON lines to a file that Wazuh reads via a <localfile> with log_format=json. Configure Wazuh rules (e.g. 111001–111050) for DNS queries and blocks (adult, VPN, piracy, persistent blocks).

Telegram integration

Create a bot with @BotFather and get the token.
Get your Chat ID by messaging the bot and calling https://api.telegram.org/bot<TOKEN>/getUpdates.
Add a custom integration script (e.g. custom-telegram.py) that reads JSON alerts, filters by level ≥7 and group (control_parental, adguard, hayabusa), and posts to Telegram with Markdown.
In ossec.conf add <integration> for the script with level="7" and the appropriate groups.
Install requests in the container and set script permissions.

Parental control script (PowerShell)

The script collects: installed apps, running processes, network connections, uptime/screen time, USB devices, Defender status; builds a JSON payload with ReportType=ControlParental; saves it locally and copies to a network share; optionally writes to the Wazuh agent path for integration. Schedule it every 30 minutes with Task Scheduler.

Hayabusa (threat hunting)

Install Hayabusa on Windows (e.g. C:\Tools\Hayabusa), update Sigma rules, and run csv-timeline on C:\Windows\System32\winevt\Logs; use -m critical or -m high for focused alerts. Correlate with Wazuh via custom rules (e.g. 110060) on the report payload.

Custom rules summary

110001–110099 (control_parental): base report, excessive use (110010, 110011), gaming (110020), social (110030), VPN/proxy (110040), Defender off (110050), Hayabusa critical (110060), night use (110080).
111001–111099 (adguard/dns): base DNS query (111001), kids’ queries (111010), blocked adult/VPN/piracy (111020–111022), any block (111040), persistent blocks (111050).

Example Telegram alerts

Adult content blocked: “BLOQUEADO ADULTO: Child1 – domain” with rule 111020.
VPN detected: “VPN/Proxy detected” with rule 111021.
Night use: “Active at night” with rule 110080.

Useful commands

Wazuh: docker exec wazuh-lite /var/ossec/bin/agent_control -l, wazuh-control status, tail on alerts.log and ossec.log.
Telegram test: curl -X POST "https://api.telegram.org/botTOKEN/sendMessage" -d "chat_id=ID" -d "text=Test".
Windows: Get-Service WazuhSvc, agent logs, Restart-Service WazuhSvc.

Conclusions

This system provides: real-time monitoring of device activity; automatic blocking of inappropriate content via DNS; instant alerts to the parent’s phone; evasion detection (VPN, TOR, proxy); threat hunting with Sigma rules; open source and customizable; no licensing cost.

Limitations: Requires technical skills to install; tech-savvy kids may try to disable the agent; does not apply when using mobile data instead of Wi‑Fi.

References: Wazuh Documentation, AdGuard Home, Hayabusa, Sigma Rules.

For the full XML rules, PowerShell script, Python integration and batch installer, see the Spanish version of this post.

Guilgo Blog