this post was submitted on 02 Nov 2023
1 points (100.0% liked)

Homelab

371 readers
3 users here now

Rules

founded 1 year ago
MODERATORS
 

Hello, I'm sorry if I say anything foolish, I'm just trying to learn setting up a SIEM stack ( real simple I know /s). I have an idea in my head to take a bunch of docker containers and put them all up in a vm that will be able to handle everything from the SIEM stack. I have a 12 core CPU and a couple terabytes of hard drive space to work with and 64gb of memory. It doesn't need to be active either, I just want to learn how all the parts work together and fit. My plan was to make the following docker containers:

  1. Wazuh indexer: indexes all the logs
  2. Wazuh Manager: ingests logs from some other devices on the network with wazuh agents installed on them. I plan on just having a single server and a workstation hooked to it as an example. It's a test environment
  3. Graylog: to standardize the logs and clean them up
  4. Graphana: for visual dashboards
  5. A.I. usage through OPENCTI and MISP
  6. Cortex: case management
  7. Shuffle: for automation
  8. Telegraf: to monitor system health

And have them all running on a single Ubuntu vm. I'm not sure if it'll Crack under all these containers or not or if this would be a good idea to try in the first place. My idea was to make a docker image that had all these parts working together so I could have a pop-up SIEM anywhere I want given enough hardware.

Is this a feasible plan? Would this be enough hardware to try? If not, what would be enough? I got this idea based on what I saw in this video: https://youtu.be/t4EJ98BNcvw?si=pDQdZKebe3eXQyyX

you are viewing a single comment's thread
view the rest of the comments
[โ€“] keisatsu@infosec.pub 1 points 1 year ago (1 children)

Since it's a test environment you should be fine with that amount of hardware, except for the AI stuff perhaps. That shit eats compute like nothing else, but it also depends on how much log you feed it. Go ahead and try bringing up the containers and observe how the load increase, it's a good learning experience and perhaps one of the most difficult aspects of SIEM (sizing).

[โ€“] keisatsu@infosec.pub 1 points 1 year ago

oh and don't run it all in one image, make one per service and use docker-compose to bring it up