Build SIEM with OpenSource Tools ..Made easy.

It’s been a Long time since I was thinking to create a SIEM using opensource tools

Which has several components – All based on Linux Opensource tools.

Tools I used and planned to integrate (be patient, take some time to get all running) but we get there slowly and finish testing and using the product.

Graylog – Log Server
Wazuh Indexer – Data storage backend
Wazuh – Log Analysis
Kibana Grafana – Visualization
The Hive – Case Management
Shuffle – Automation
OpenCTI / MISP – Intelligence Enrichment
Uptime Kuma – Health Monitoring

Load balancer (LB) Linux-based with Syslog-ng or rsyslog for Logs collection.

Above tools I am using apart from that, I may use Linux Loadbalancer (LB) to Loadbalance the logs from End Network devices, and also wazuh event collection to wazuh-manager from Windows events and logs.

If you looking for logs to LB, then you need to use TCP (not UDP 514) TCP has a 3-way handshake so LB can detect the failures and LB accordingly.

For PoC – I will be using All in one Server – Once that integration working and tested, each server will be in a different VM, I also want to use Kubernetes here with Docker for high available or node availability.

For now, below VM specification for PoC :

VM Specification :

CPU – 4 Cores


HDD: 400GB ( SATA)

Operating System: Ubuntu 20. X LTS

Preparation :

Linux installation –

Download ISO image from Ubuntu.

Installed basic installation so we add later whatever packages required for our long goal.

Once Ubuntu is installed and everything ok you get a login prompt.

If you looking to enable root Login, by default root login is disabled.

vi /etc/ssh/sshd_config ( I use VI editor – please use whatever ever convenient for usage)

PermitRootLogin yes <<- remove the # from of this line or change like this once you find the line.

Press ESC and :wq for quit and write.

change the password for root

#password root (enter new password)

restart SSH Service to login using the root login user.

/etc/init.d/ssh restart

Try (I use putty) SSH using the root user. (now you have root user access and we are ready to install packages).

Next step we will generate Certs and install WAZUH

happy Labbing …………………………….!