Rafał Przybysz
unread,May 15, 2024, 7:49:38 AM5/15/24Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Wazuh | Mailing List
Hello everyone,
I am planning to deploy a Wazuh cluster to act as a SIEM for multiple clients, and I would like to achieve the following setup and functionality:
Separate Data Storage for Clients: I want to store alerts from different clients in separate indices for enhanced security and data isolation. This will help ensure that each client’s data remains segregated.
Custom Index Retention Policies: I need to apply different retention policies to each client's data. My understanding is that having separate indices will allow me to manage these policies independently for each client.
Client-Specific Index Snapshots: I want to be able to create index snapshots for specific clients, which seems feasible only if each client has their own set of indices.
Proposed Setup:
Each location will have a local Wazuh Manager and Syslog server. The Syslog server collects logs from network devices, labels them, and forwards them to the local Wazuh Manager. The local Wazuh Manager also collects data from servers in that location.
These local Wazuh Managers will then forward logs to a central Wazuh Manager located at the main site, which consists of one master manager node, one worker manager node, a Wazuh dashboard, and a multi-node indexer (OpenSearch).
Questions:
Is this Setup Feasible? Can I configure local Wazuh Managers to forward logs to a central Wazuh Manager while maintaining the data integrity and performance?
Separate Indices for Different Clients: Is it possible to save alerts from different clients in separate indices in Wazuh (OpenSearch)? How can I achieve this configuration using Logstash or any other recommended method?
Alternative Solutions: If separate indices for each client are not possible or recommended, what are the best practices to achieve data separation, custom retention policies, and client-specific snapshots?
Thank you for your assistance!