Architecture

Overview

The architecture is designed in multiple phases, integrating several open-source components to form a robust and extensible SIEM pipeline. Each component has a specific role, contributing to the overall functionality—from log collection and processing to enrichment, storage, and visualization.

---

Architecture Breakdown

1. Wazuh Manager
   Acts as the central component for collecting logs from deployed Wazuh Agents. It:

   • Decodes and parses incoming data
   • Matches logs against defined security rules
   • Manages agents and configuration

2. Wazuh Indexer
   A fork of OpenSearch, optimized for Wazuh:

   • Stores alerts and decoded logs
   • Manages data lifecycle (retention, rollover)
   • Interfaces with Wazuh Dashboard for real-time visualization and analytics

3. Fluent Bit
   A lightweight and efficient data collector used as a pipeline:

   • Tails the Wazuh alerts log file
   • Forwards parsed events to Graylog for further processing

4. Graylog
   Used as a centralized log enrichment and management system:

   • Adds contextual metadata to logs
   • Supports flexible parsing and custom pipelines
   • Prepares logs for long-term storage and advanced querying

5. OpenSearch
   Final destination for enriched and structured logs:

   • Enables advanced search, aggregation, and analysis
   • Supports alerting and custom dashboards via plugins

---

Diagram

The following diagram provides a high-level view of the complete architecture:

---

This modular setup allows flexibility in scaling, extending, or replacing components depending on operational needs.