Created
November 18, 2025 01:30
-
-
Save williamzujkowski/c5ea53300957068928678f3f6927cab6 to your computer and use it in GitHub Desktop.
SIEM Hybrid Configuration - Wazuh + Graylog Integration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Hybrid SIEM Configuration: Wazuh + Graylog Integration | |
| # Architecture: Wazuh handles threat detection, Graylog handles log aggregation | |
| # Integration: Wazuh alerts forwarded to Graylog for unified dashboard | |
| # Wazuh Configuration (/var/ossec/etc/ossec.conf) | |
| # Add Graylog syslog output | |
| <ossec_config> | |
| <syslog_output> | |
| <server>graylog-server</server> | |
| <port>1514</port> | |
| <format>json</format> | |
| <level>3</level> <!-- Alert level 3 and above --> | |
| </syslog_output> | |
| <!-- File integrity monitoring --> | |
| <syscheck> | |
| <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | |
| <directories check_all="yes">/bin,/sbin</directories> | |
| <ignore>/etc/mtab</ignore> | |
| <ignore>/etc/hosts.deny</ignore> | |
| <ignore>/etc/mail/statistics</ignore> | |
| <ignore>/etc/random-seed</ignore> | |
| <ignore>/etc/adjtime</ignore> | |
| <scan_on_start>yes</scan_on_start> | |
| </syscheck> | |
| <!-- Active response for auto-remediation --> | |
| <active-response> | |
| <command>firewall-drop</command> | |
| <location>local</location> | |
| <rules_id>5710,5711,5720</rules_id> <!-- SSH brute force --> | |
| <timeout>1800</timeout> | |
| </active-response> | |
| </ossec_config> | |
| # Graylog Input Configuration | |
| # Create Syslog UDP input for Wazuh alerts | |
| --- | |
| input: | |
| title: "Wazuh Alerts" | |
| type: "org.graylog2.inputs.syslog.udp.SyslogUDPInput" | |
| configuration: | |
| bind_address: "0.0.0.0" | |
| port: 1514 | |
| recv_buffer_size: 262144 | |
| global: true | |
| # Graylog Stream for Wazuh Alerts | |
| --- | |
| stream: | |
| title: "Wazuh Security Alerts" | |
| description: "All security alerts from Wazuh SIEM" | |
| rules: | |
| - field: "source" | |
| value: "wazuh-manager" | |
| type: 1 # EXACT match | |
| inverted: false | |
| - field: "message" | |
| value: "\"rule\":" # JSON alerts contain "rule" field | |
| type: 2 # CONTAINS match | |
| inverted: false | |
| # Graylog Extractors for Wazuh JSON | |
| --- | |
| extractors: | |
| - title: "Wazuh Alert - Rule ID" | |
| type: "JSON" | |
| cursor_strategy: "COPY" | |
| source_field: "message" | |
| target_field: "wazuh_rule_id" | |
| extractor_config: | |
| key_separator: "_" | |
| kv_separator: "=" | |
| list_separator: ", " | |
| json_path: "$.rule.id" | |
| - title: "Wazuh Alert - Severity" | |
| type: "JSON" | |
| cursor_strategy: "COPY" | |
| source_field: "message" | |
| target_field: "wazuh_severity" | |
| extractor_config: | |
| json_path: "$.rule.level" | |
| - title: "Wazuh Alert - Source IP" | |
| type: "JSON" | |
| cursor_strategy: "COPY" | |
| source_field: "message" | |
| target_field: "wazuh_src_ip" | |
| extractor_config: | |
| json_path: "$.data.srcip" | |
| # Unified Alert Workflow | |
| --- | |
| # 1. Wazuh detects threat (SSH brute force, malware, FIM change) | |
| # 2. Wazuh triggers active response (block IP, isolate host) | |
| # 3. Wazuh forwards alert to Graylog via syslog | |
| # 4. Graylog enriches alert with context (GeoIP, threat intel lookup) | |
| # 5. Graylog creates unified dashboard showing: | |
| # - Security alerts from Wazuh | |
| # - Application logs from Filebeat | |
| # - System logs from rsyslog | |
| # 6. Analysts investigate incidents in Graylog (fast search) | |
| # 7. Automation scripts query both APIs for response playbooks | |
| # Example: Unified Dashboard Query | |
| # Show SSH brute force alerts with successful logins within 10 minutes | |
| graylog_query: | | |
| ( | |
| (wazuh_rule_id:5710 AND wazuh_severity:>=10) | |
| OR | |
| (program:sshd AND message:"Accepted password") | |
| ) | |
| AND timestamp:[now-10m TO now] | |
| # Example: Python Integration | |
| python_integration: | | |
| # Query Wazuh for active response status | |
| wazuh_alerts = wazuh_api.get_alerts(severity="high") | |
| # Enrich with Graylog context | |
| for alert in wazuh_alerts: | |
| src_ip = alert['data']['srcip'] | |
| context = graylog_api.search_logs(f"source:{src_ip}", time_range=3600) | |
| alert['graylog_context'] = context | |
| # Create unified incident ticket | |
| create_incident(wazuh_alerts) | |
| # Resource Allocation | |
| resources: | |
| wazuh_manager: 2GB RAM | |
| wazuh_indexer: 4GB RAM (stores FIM, compliance data) | |
| graylog_server: 2GB RAM | |
| elasticsearch: 4GB RAM (stores all logs including Wazuh alerts) | |
| total: 12GB RAM for full hybrid stack | |
| # Benefits of Hybrid Approach | |
| benefits: | |
| - Wazuh provides security-specific correlation (MITRE ATT&CK mapping, compliance) | |
| - Graylog provides flexible log search (application debugging, DevOps workflows) | |
| - Single pane of glass via Graylog dashboard | |
| - Automated remediation via Wazuh active response | |
| - Rich context via Graylog log enrichment |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment