CyberNexusBlog

Building a Comprehensive Open Source SIEM Solution

Youssef Ketaj's photo
Youssef Ketaj

6 min read

Cover Image for Building a Comprehensive Open Source SIEM Solution

Table of contents

Introduction

In today's cybersecurity landscape, having a robust Security Information and Event Management (SIEM) system is crucial for organizations of all sizes. While commercial SIEM solutions can be expensive and complex, this guide demonstrates how to build a powerful, scalable, and cost-effective SIEM using open-source tools. This solution is particularly valuable for small to medium-sized businesses, security researchers, and organizations looking to enhance their security posture without significant financial investment.

In this blog post, I'll walk you through the setup and implementation of a powerful open-source Security Information and Event Management (SIEM) solution that combines several best-in-class security tools. This setup provides enterprise-grade security monitoring capabilities without the enterprise price tag.

Project Repository

All the code and configuration files for this project are available on GitHub:

GitHub Repository

The repository includes:

  • Complete Docker Compose configuration

  • Configuration files for all components

  • Setup scripts and documentation

  • Implementation guides and best practices

Feel free to star ⭐ the repository if you find it useful!

Why Open Source SIEM?

Before diving into the technical details, let's understand why an open-source SIEM solution might be the right choice:

  • Cost-Effective: Eliminate expensive licensing fees while maintaining enterprise-grade capabilities

  • Customizable: Full control over the implementation and ability to modify components as needed

  • Community Support: Access to large communities for troubleshooting and improvements

  • Transparency: Clear visibility into how the security tools operate

  • Integration Flexibility: Easy integration with existing tools and custom solutions

Components Overview

Our SIEM solution consists of the following key components:

1. Wazuh (v4.9.0)

  • Purpose: Host-based intrusion detection, security monitoring, and response

  • Key Features:

    • Real-time alerting and monitoring

    • File integrity monitoring

    • Vulnerability detection

    • Configuration assessment

    • Incident response capabilities

  • Use Cases:

    • Detecting unauthorized file system changes

    • Monitoring system calls for suspicious behavior

    • Tracking user authentication events

    • Identifying compliance violations

    • Managing security policies across endpoints

2. Graylog (v6.0.6)

  • Purpose: Log management and analysis

  • Key Features:

    • Centralized log collection

    • Advanced search capabilities

    • Custom dashboards

    • Alert creation

    • Geolocation analysis with GeoLite2 integration

  • Use Cases:

    • Network traffic analysis

    • Application performance monitoring

    • Security incident investigation

    • Compliance reporting

    • User activity tracking

3. Grafana

  • Purpose: Data visualization and analytics

  • Key Features:

    • Custom dashboards

    • Real-time metrics visualization

    • Multi-source data integration

    • Alert management

  • Use Cases:

    • Security metrics visualization

    • Performance monitoring

    • Threat hunting dashboards

    • Executive reporting

    • Trend analysis

4. Velociraptor

  • Purpose: Digital forensics and incident response

  • Key Features:

    • Live forensics capabilities

    • Endpoint monitoring

    • Incident response automation

    • Threat hunting

  • Use Cases:

    • Malware investigation

    • Memory analysis

    • File system auditing

    • Process monitoring

    • Network connection analysis

5. SOCFortress CoPilot

  • Purpose: Security orchestration and automation

  • Key Features:

    • Integration management

    • Alert correlation

    • Automated response actions

    • Centralized security management

  • Use Cases:

    • Automated incident response

    • Alert triage and prioritization

    • Cross-platform security orchestration

    • Compliance automation

Architecture and Workflow

The system follows this general workflow:

  1. Data Collection:

    • Wazuh agents collect host-based security data

    • Graylog ingests logs from various sources (TCP/UDP)

    • Velociraptor gathers forensics data from endpoints

    • Support for multiple data formats (Syslog, GELF, JSON)

  2. Data Processing:

    • Wazuh processes security events and generates alerts

    • Graylog parses and normalizes log data

    • CoPilot orchestrates data flow between components

    • Real-time correlation and enrichment

  3. Analysis and Visualization:

    • Wazuh Dashboard for security event analysis

    • Graylog dashboards for log analysis

    • Grafana for custom metrics visualization

    • Integrated threat intelligence

    • Machine learning-based anomaly detection

  4. Response and Automation:

    • CoPilot handles alert correlation and automated responses

    • Velociraptor executes forensic analysis when needed

    • Integration with external tools through API connections

    • Automated containment and remediation actions

Setup and Configuration

Prerequisites

  • Docker and Docker Compose

  • SSL certificates for secure communication

  • Sufficient system resources:

    • Minimum 16GB RAM recommended

    • 4+ CPU cores

    • 100GB+ storage space

    • Ubuntu/Debian-based system (recommended)

Key Configuration Steps

  1. SSL Certificate Generation:

     cd ./wazuh/
 docker compose -f generate-indexer-certs.yml run --rm generator

  2. Certificate Integration:

    • Copy root-ca.pem to Graylog directory

    • Configure Java truststore for Graylog:

    docker exec -it graylog bash
    cp /opt/java/openjdk/lib/security/cacerts /usr/share/graylog/data/config/
    keytool -importcert -keystore cacerts -storepass changeit -alias wazuh_root_ca -file root-ca.pem

  1. Service Deployment:

     docker compose up -d

Post-Installation Configuration

  1. Wazuh Setup:

    • Configure agent groups

    • Set up custom rules

    • Enable desired modules

    • Configure vulnerability scanning

  2. Graylog Configuration:

    • Set up inputs

    • Create streams

    • Configure pipelines

    • Set up content packs

  3. Grafana Integration:

    • Configure data sources

    • Import dashboards

    • Set up alerting

    • Configure user permissions

Implementation Screenshots

Here are some screenshots showcasing our implementation:

Docker Container Overview

Figure 1: Running Docker containers showing all SIEM components

SOCFortress CoPilot Dashboard

Figure 2: SOCFortress CoPilot main dashboard showing security metrics and alerts

CoPilot Connectors Configuration

Figure 3: Integrated connectors in CoPilot showing various tool integrations

These screenshots demonstrate:

  1. Container Health: All required containers running successfully in Docker

  2. Dashboard Overview: The main CoPilot interface showing security metrics, alerts, and system status

  3. Integration Status: Active connectors showing successful integration between different security tools

Security Considerations

  • All inter-service communication is encrypted using SSL/TLS

  • Strong authentication configured for all components

  • Separate containers for isolation

  • Regular security updates through Docker images

  • Network segmentation recommendations:

    • Use internal networks for container communication

    • Implement reverse proxy for web interfaces

    • Apply principle of least privilege

    • Regular security audits

Integration Points

The system provides several integration points:

  • Wazuh Manager:

    • Port 1514 (agent communication)

    • Port 55000 (API)

    • Integration with threat intelligence platforms

    • Custom decoder and rule creation

  • Graylog:

    • Port 9000 (web interface)

    • Port 12201 (GELF)

    • Port 514 (Syslog)

    • REST API for custom integrations

    • Content pack sharing

  • Grafana:

    • Port 3000 (web interface)

    • Plugin ecosystem

    • Alert integration

    • Custom datasource support

  • Velociraptor:

    • Ports 8000, 8001, 8889

    • Custom artifact creation

    • API integration

    • Automated collection

  • CoPilot:

    • Port 5000 (API and web interface)

    • Workflow automation

    • Custom connector development

    • Alert routing and management

Troubleshooting Guide

Common issues and solutions:

  1. Connection Issues:

    • Check SSL certificates

    • Verify network connectivity

    • Review firewall rules

    • Check service logs

  2. Performance Problems:

    • Monitor resource usage

    • Optimize queries

    • Check index performance

    • Review container limits

  3. Data Collection Issues:

    • Verify agent connectivity

    • Check input configurations

    • Review parsing rules

    • Monitor log sources

Conclusion

This open-source SIEM solution provides a robust security monitoring platform suitable for organizations of all sizes. The combination of Wazuh, Graylog, Grafana, Velociraptor, and CoPilot offers comprehensive security visibility and response capabilities.

Key benefits include:

  • Cost-effective security monitoring

  • Scalable architecture

  • Extensive automation capabilities

  • Rich visualization options

  • Comprehensive log management

  • Advanced threat detection and response

Next Steps

To enhance this setup, consider:

  • Implementing additional Wazuh agents

  • Creating custom detection rules

  • Setting up automated response playbooks

  • Developing custom dashboards

  • Integrating additional security tools

  • Building threat hunting capabilities

  • Implementing machine learning for anomaly detection

  • Creating custom reports for compliance

Resources and References

Remember to regularly update all components and review security configurations to maintain optimal security posture.