Hello everyone,
I want to build an open-source SIEM solution using Wazuh and the Elastic Stack to monitor roughly 300 hosts (Linux servers, firewalls, switches, Windows servers, Linux hosts, and Windows hosts). I’d appreciate any advice or opinions on my stack.
Core Requirements:
-
Handle 6GB/day of security logs, retained for 60 days.
-
Support two types of rules:
1 Real-time alerting via Wazuh.
2 Near-real-time search/complex correlation via ElastAlert on Elasticsearch (a few seconds of delay is acceptable).
Hypothetical Setup:
-
Elasticsearch Cluster (3 nodes): 500GB storage, 16GB RAM, 4 vCPU each.
-
Wazuh Managers (2) + Load Balancer: 150GB storage, 12GB RAM, 4 vCPU each (for real-time alerting and HA).
-
Logstash Server (1): 150GB SSD, 12GB RAM, 4 vCPU .
-
Kibana/ElastAlert Server (1): 120GB SSD, 12GB RAM, 4 vCPU
Specific Questions:
1. Is this setup correctly scaled for the expected log volume, or is any component over- or under-provisioned?
-
Is it justified to separate Wazuh (real-time) and ElastAlert (near-real-time) for this use case, or would a simpler, all-in-one solution be sufficient?
-
Are two Wazuh managers necessary, or could a single, larger manager handle this workload?
-
Can I reduce the number of VMs ?
I’m okay with initially excluding Windows hosts (about 200 of them) to simplify deployment.
Thanks in advance for any guidance!