Multi-Tenant Wazuh Setup with Centralized Cloud Storage for Client Data

[m_alfo]

Hello,

I’m currently working on a multi-tenant Wazuh implementation where we manage multiple clients (environments like Environment A and Environment B) from our central MSSP console. Each client has their own Wazuh indexer and server, which allows for isolated environments. While this works well, I have concerns about the scalability and data retention on the client side.

Specifically, I’m seeking guidance on two key architectural points:

1. Centralized Data Storage - Moving Client Data to Our MSSP Cloud:

Our goal is to implement an architecture where client data (logs, security events, etc.) is not stored locally on the client's Wazuh infrastructure. Instead, we want to offload this data directly into our cloud, so the client doesn’t have to handle the growing storage needs. Additionally, this would allow us to avoid any inbound connections into the client’s environment, as it’s more secure and comfortable for clients to only have outbound data transfers.

• Is there a way to configure Wazuh agents, indexers, and servers to push data directly into our cloud, bypassing local storage?
• Are there open-source methods or best practices for forwarding data from the client environment to the central MSSP cloud, without creating heavy dependencies on their local storage?

2. Avoiding Inbound Access to the Client’s Environment:

We want to minimize the need for inbound connections from our MSSP console into the client's environment. The idea is to set up a flow where the client’s Wazuh agents and indexers push data out to our cloud or MSSP console, rather than us accessing their systems directly.

• What is the best approach to configure a Wazuh environment that avoids inbound connections from the MSSP console to the client’s infrastructure?
• How can we ensure data is securely and efficiently transferred from the client’s network to our cloud, while complying with security standards?

3. Full Cloud Integration:

Is it possible to implement a fully cloud-based solution where all client data is stored centrally in our cloud, and the client does not need to manage or store any Wazuh data on-premises? I’m particularly interested in understanding if there are ways to handle the following:

• Log and event retention in the cloud for clients without impacting their infrastructure.
• Real-time event forwarding from the client’s Wazuh setup to the cloud.
• Management of alerts and logs in a way that they don’t burden the client’s infrastructure but still maintain visibility and control over their environment.

I would greatly appreciate insights from anyone who has implemented something similar or has experience working with cloud-centric Wazuh deployments. Any implementation details, best practices, or potential challenges would be extremely helpful.

Thank you in advance for your support and suggestions!