Building a SIEM - 4 - Graylog Inputs, Wazuh Tuning, and Agents - CastleDefender

# Building a SIEM - 4 - Graylog Inputs, Wazuh Tuning, and Agents 04-25-2025 Tags: #Wazuh #SIEM #Graylog #Sysmon Links: [[Building a SIEM - 3 - Installing Graylog]], [[Installing Sysmon on Windows]] --- - [[#Introduction|Introduction]] - [[#Configuring a Graylog Input|Configuring a Graylog Input]] - [[#Installing Fluent-bit|Installing Fluent-bit]] - [[#Tuning Wazuh-Manager|Tuning Wazuh-Manager]] - [[#Tuning Wazuh-Manager#Agent Password Authentication|Agent Password Authentication]] - [[#Tuning Wazuh-Manager#Enabling Vulnerability Detection|Enabling Vulnerability Detection]] - [[#Tuning Wazuh-Manager#Agent Configuration|Agent Configuration]] - [[#Tuning Wazuh-Manager#(Optional) Advanced Rules|(Optional) Advanced Rules]] - [[#Finishing Up|Finishing Up]] - [[#References|References]] --- ## Introduction We've made it pretty far; we have Wazuh working and Graylog using Wazuh-indexer as a backend storage. What's the next step? Well, we'll need to configure some inputs in Graylog, then we'll need **Fluent-bit** to read the Wazuh-Manager logs that are output, and send entries to our Graylog input. **Why?** Because we want to centralize all that sweet sweet log data that is going to be coming in from all sorts of sources. ## Configuring a Graylog Input This one is easy. Login to Graylog, touch **System**, then **Inputs**. In the **Select input** field, search for `Raw/Plaintext TCP`. Touch **Launch new input**. Give it a name (I called mine Wazuh-Alerts) and save with just the default settings. We're using Raw/Plaintext TCP because Fluent-bit will be sending raw JSON-formatted messages, and this input type doesn't try to parse them — it just accepts them as-is. ## Installing Fluent-bit I'll use this command to install and run the Fluent-bit scripts, which will install *Fluent-bit 4.0.1* at the time of this post: ```terminal curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh ``` **Why Fluent-bit?** Fluent-bit is lightweight, fast, and highly configurable — perfect for taking logs written to disk (like our `alerts.json`) and forwarding them over the network to our Graylog input. Wazuh-Manager writes logs to `/var/ossec/logs/alerts/alerts.json`, and we want to catch those alerts and send them to Graylog. We edit `/etc/fluent-bit/fluent-bit.conf` to configure Fluent-bit to do exactly that: ```fluent-bit.conf [SERVICE] flush 5 daemon Off log_level info parsers_file parsers.conf plugins_file plugins.conf http_server Off http_listen 0.0.0.0 http_port 2020 storage.metrics on storage.path /var/log/flb-storage/ storage.sync normal storage.checksum off storage.backlog.mem_limit 5M Log_File /var/log/td-agent-bit.log [INPUT] name tail path /var/ossec/logs/alerts/alerts.json tag wazuh parser json Buffer_Max_Size 5MB Buffer_Chunk_Size 400k storage.type filesystem Mem_Buf_Limit 512MB [OUTPUT] Name tcp Host *your graylog host* Port 5555 net.keepalive off Match wazuh Format json_lines json_date_key true ``` - **[INPUT]** tells Fluent-bit to "tail" (`follow`) the `alerts.json` file, reading any new alerts Wazuh writes. - **[OUTPUT]** says, "Okay, now send those events over TCP to Graylog on port 5555." (You need to make sure the Graylog input port matches here.) Now we enable and start Fluent-bit `sudo systemctl enable --now fluent-bit` When all is said and done, when you go to Graylog, click on **System**, **Inputs**, and touch **Show received messages**, you should see what the alerts.json file from Wazuh-Manager is looking at: ![[alerts_json_in_Graylog_inputs.png]] ## Tuning Wazuh-Manager This next section is about hardening and tuning Wazuh so that your agents are secure, your detections are meaningful, and you don’t drown in noise. ### Agent Password Authentication First we want only **our** Wazuh-agents to be able to register with Wazuh-Manager (currently, any agent could register with the manager, so long as the agent knows our manager's ip address). We start with editing `/var/ossec/etc/ossec.conf`, and looking for the `<auth>` section: ```ossec.conf <auth> <use_password>yes</use_password> </auth> ``` Let's set a password by creating a file `authd.pass` ```terminal echo "tryhackme" > /var/ossec/etc/authd.pass ``` Then lock down the permissions and ownership ```terminal chmod 640 /var/ossec/etc/authd.pass chown root:wazuh /var/ossec/etc/authd.pass ``` **Why is this important?** You don’t want rogue agents — or attackers — registering fake endpoints to your Wazuh-Manager. Authentication locks it down. ### Enabling Vulnerability Detection Let's enable vulnerability detection on our endpoints by activating it in the `/var/ossec/etc/ossec.conf` file. This will allow Wazuh-manager to run vulnerability assessments on the endpoints. ```ossec.conf <vulnerability-detector> <enabled>yes</enabled> <interval>5m</interval> <min_full_scan_interval>6h</min_full_scan_interval> <run_on_start>yes</run_on_start>  <provider name="canonical"> <enabled>yes</enabled> <os>trusty</os> <os>xenial</os> <os>bionic</os> <os>focal</os> <os>jammy</os> <update_interval>1h</update_interval> </provider>  <provider name="debian"> <enabled>yes</enabled> <os>stretch</os> <os>buster</os> <os>bullseye</os> <update_interval>1h</update_interval> </provider>  <provider name="redhat"> <enabled>yes</enabled> <os>5</os> <os>6</os> <os>7</os> <os>8</os> <os>9</os> <update_interval>1h</update_interval> </provider>  <provider name="alas"> <enabled>yes</enabled> <os>amazon-linux</os> <os>amazon-linux-2</os> <update_interval>1h</update_interval> </provider>  <provider name="arch"> <enabled>yes</enabled> <update_interval>1h</update_interval> </provider>  <provider name="msu"> <enabled>yes</enabled> <update_interval>1h</update_interval> </provider>  <provider name="nvd"> <enabled>yes</enabled> <update_from_year>2010</update_from_year> <update_interval>1h</update_interval> </provider> </vulnerability-detector> ``` *Note:* If you don't use all of these OS's, you don't have to keep them, and you may improve performance if you get rid of them. I'm commenting out `<vulnerability-detection>` and copying in this section. ```note  ``` ### Agent Configuration I can set up Agent groups in Wazuh directly. Let's log in to the Dashboard to do so, you can follow along as well, [here](https://documentation.wazuh.com/current/user-manual/agent/agent-management/index.html) 1. We'll go to **Agents Management** then **Groups** and touch **Add new Group**. I'm going to call my group *Windows* 2. I'll edit the group by touching the pencil icon under **Actions** on the right side Now let's tune the agent configuration. #### Why Use This Tuned Wazuh Windows Agent Configuration? Wazuh’s default agent settings are okay for **basic visibility**, but they don’t go deep enough for **real attack detection** or **serious forensic work**. This tuned configuration unlocks much better security and monitoring by: - **Rootcheck and SCA (Security Configuration Assessment)**: - Scans the system for insecure configurations, missing patches, and known malware footprints — catching weak points early. - Ensures that important security baselines are _automatically_ checked every 12 hours. - **Aggressive File Integrity Monitoring (FIM)**: - Tracks changes to critical system files (like `cmd.exe`, `powershell.exe`, `regedit.exe`) and key registry keys often targeted by attackers. - Uses tight scoping and ignores unimportant changes (like `.log`, `.jpg`, `.evtx` files) to reduce alert noise. - **System Inventory and Hardware Monitoring**: - Automatically collects detailed info about the system’s OS, hardware, software packages, ports, and running processes. - This helps **spot unauthorized software installs**, **rogue processes**, or **suspicious open ports** without manual work. - **Event Log Collection**: - Specifically targets high-value Windows logs (Sysmon, Powershell, Code Integrity, Task Scheduler, Firewall, Windows Defender) that are **key hunting grounds** for threat actors. - Sysmon events especially are a _goldmine_ for detecting lateral movement, privilege escalation, malware execution, and persistence techniques. - **Active Response Capability**: - Enables automated blocking or remediation actions (like banning an IP or killing a malicious process) without waiting for a human to respond. - **Client Buffering**: - Smooths out event spikes by buffering agent data intelligently, reducing the risk of dropped events when systems are under heavy load. #### Benefits of Doing This ✅ **Far better visibility** into real-world attacks (not just "surface-level" detection). ✅ **Much lower false positives** because noise is filtered at the agent level. ✅ **Faster incident response** with automated actions enabled. ✅ **Better compliance** support by continuously auditing system state against security baselines. ✅ **Future-proofing** — you’ll be ready to layer Graylog or advanced analytics tools later because you’re collecting meaningful, high-signal data _now_. ✅ **Minimal impact** on system performance thanks to smart event throttling and tuned scanning intervals. #### Drawbacks or Things to Watch Out For ⚠️ **Higher resource usage**: - FIM and SCA scanning can add CPU/memory overhead, especially on older or heavily-loaded machines. ⚠️ **Possible alert overload if tuned poorly**: - Good scoping and exclusions (like with `.jpg`, `.log`, etc.) are critical to avoid being overwhelmed. ⚠️ **Requires good Sysmon setup**: - If Sysmon isn’t configured well, you might miss telemetry or generate unnecessary noise. #### Final Thought By using this configuration, you're setting up **serious security telemetry** — the kind that real adversaries can't easily slip past. You’re moving from “basic monitoring” to **actual threat hunting** readiness. Now let's use it :) #### Windows Agent Configuration I'll copy and paste the following rules from the SOCFortress team into the config file ```agent_config <client_buffer>  <disabled>no</disabled> <queue_size>5000</queue_size> <events_per_second>500</events_per_second> </client_buffer>  <rootcheck> <disabled>no</disabled> <windows_apps>./shared/win_applications_rcl.txt</windows_apps> <windows_malware>./shared/win_malware_rcl.txt</windows_malware> </rootcheck> <sca> <enabled>yes</enabled> <scan_on_start>yes</scan_on_start> <interval>12h</interval> <skip_nfs>yes</skip_nfs> </sca>  <syscheck> <disabled>no</disabled>  <frequency>43200</frequency>  <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.iniquot;>%WINDIR%</directories> <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exequot;>%WINDIR%\SysNative</directories> <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories> <directories recursion_level="0" restrict="WMIC.exequot;>%WINDIR%\SysNative\wbem</directories> <directories recursion_level="0" restrict="powershell.exequot;>%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories> <directories recursion_level="0" restrict="winrm.vbsquot;>%WINDIR%\SysNative</directories>  <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exequot;>%WINDIR%\System32</directories> <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories> <directories recursion_level="0" restrict="WMIC.exequot;>%WINDIR%\System32\wbem</directories> <directories recursion_level="0" restrict="powershell.exequot;>%WINDIR%\System32\WindowsPowerShell\v1.0</directories> <directories recursion_level="0" restrict="winrm.vbsquot;>%WINDIR%\System32</directories> <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories> <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore> <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtxlt;/ignore>  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry> <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>  <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> <registry_ignore type="sregex">\Enumlt;/registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>  <windows_audit_interval>60</windows_audit_interval>  <process_priority>10</process_priority>  <max_eps>100</max_eps>  <synchronization> <enabled>yes</enabled> <interval>5m</interval> <max_interval>1h</max_interval> <max_eps>10</max_eps> </synchronization> </syscheck>  <wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <scan_on_start>yes</scan_on_start> <hardware>yes</hardware> <os>yes</os> <network>yes</network> <packages>yes</packages> <ports all="no">yes</ports> <processes>yes</processes>  <synchronization> <max_eps>10</max_eps> </synchronization> </wodle>  <wodle name="cis-cat"> <disabled>yes</disabled> <timeout>1800</timeout> <interval>1d</interval> <scan-on-start>yes</scan-on-start> <java_path>\\server\jre\bin\java.exe</java_path> <ciscat_path>C:\cis-cat</ciscat_path> </wodle>  <wodle name="osquery"> <disabled>yes</disabled> <run_daemon>yes</run_daemon> <bin_path>C:\Program Files\osquery\osqueryd</bin_path> <log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path> <config_path>C:\Program Files\osquery\osquery.conf</config_path> <add_labels>yes</add_labels> </wodle>  <active-response> <disabled>no</disabled> <ca_store>wpk_root.pem</ca_store> <ca_verification>yes</ca_verification> </active-response>  <localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Windows PowerShell</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Microsoft-Windows-CodeIntegrity/Operational</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Microsoft-Windows-TaskScheduler/Operational</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Microsoft-Windows-PowerShell/Operational</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Microsoft-Windows-Windows Defender/Operational</location> <log_format>eventchannel</log_format> </localfile> ``` Touch **Save* I can do the following with Linux as well, though I'm not going to do so on my box here, the Linux agent configuration would be the same except with these settings instead #### Linux Agent Configuration ```linux agent <client_buffer>  <disabled>no</disabled> <queue_size>5000</queue_size> <events_per_second>500</events_per_second> </client_buffer>  <rootcheck> <disabled>no</disabled>  <frequency>43200</frequency> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <skip_nfs>yes</skip_nfs> </rootcheck> <wodle name="open-scap"> <disabled>yes</disabled> <timeout>1800</timeout> <interval>1d</interval> <scan-on-start>yes</scan-on-start> <content type="xccdf" path="ssg-debian-8-ds.xml"> <profile>xccdf_org.ssgproject.content_profile_common</profile> </content> <content type="oval" path="cve-debian-oval.xml"/> </wodle>  <syscheck> <disabled>no</disabled>  <frequency>43200</frequency> <scan_on_start>yes</scan_on_start>  <directories>/etc,/usr/bin,/usr/sbin</directories> <directories>/bin,/sbin,/boot</directories>  <ignore>/etc/mtab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/random.seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> <ignore>/etc/dumpdates</ignore> <ignore>/etc/svc/volatile</ignore> <ignore>/sys/kernel/security</ignore> <ignore>/sys/kernel/debug</ignore>  <ignore type="sregex">.log$|.swplt;/ignore>  <nodiff>/etc/ssl/private.key</nodiff> <skip_nfs>yes</skip_nfs> <skip_dev>yes</skip_dev> <skip_proc>yes</skip_proc> <skip_sys>yes</skip_sys>  <process_priority>10</process_priority>  <max_eps>100</max_eps>  <synchronization> <enabled>yes</enabled> <interval>5m</interval> <response_timeout>30</response_timeout> <queue_size>16384</queue_size> <max_eps>10</max_eps> </synchronization> </syscheck>  <localfile> <log_format>syslog</log_format> <location>/var/ossec/logs/active-responses.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/auth.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/syslog</location> </localfile> <localfile> <log_format>command</log_format> <command>df -P</command> <frequency>360</frequency> </localfile> <localfile> <log_format>full_command</log_format> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> <frequency>360</frequency> </localfile> <localfile> <log_format>full_command</log_format> <command>last -n 5</command> <frequency>360</frequency> </localfile> <wodle name="osquery"> <disabled>yes</disabled> <run_daemon>yes</run_daemon> <log_path>/var/log/osquery/osqueryd.results.log</log_path> <config_path>/etc/osquery/osquery.conf</config_path> <add_labels>yes</add_labels> </wodle> <wodle name="syscollector"> <disabled>no</disabled> <interval>24h</interval> <scan_on_start>yes</scan_on_start> <packages>yes</packages> <os>yes</os> <hotfixes>yes</hotfixes> <ports all="no">yes</ports> <processes>yes</processes> </wodle> ``` ### (Optional) Advanced Rules Advanced rules are supplied by SOCFortress in a public repo on Github. You can copy these rules manually, or a script is also supplied to automatically download the rules, although you run the risk of having duplicate rule ID's if you already have your own custom rules. If you're interested, you can find the rules [here](https://github.com/socfortress/Wazuh-Rules) ## Deploying an Agent This part is gonna be great. We're going to use Wazuh's embedded agent creation to set it up for us. In **Wazuh**, under **Agent Managemet** and **Summary**, you'll have a bird's eye view of how your systems are doing. We can touch **Deploy New Agent** on the right side, choose the OS type, input the address of our Wazuh server, and use the **Windows** group that we've already created. Then we'll copy the generated commands to be able to download and install the agent. On my Windows client, I'm going to open up Powershell in ISE as an administrator, paste the commands and run the script. Then I'll run the command to start the service. Bam! My SIEM is watching my Windows client. But we're not done yet! Windows Event Manager don't see as much as we would like. What we want is Sysmon, which is Event Manager but on steroids. I wrote a quick guide on how to install Sysmon, using a specialized repo for even better event management [[Installing Sysmon on Windows|here]]. Now Wazuh can do a lot, but if we *really* want the next level (and we do, for sure), we're going to want to install Sysmon as well. I'm not going to outline how to install Sysmon on my machine in this post, but you can check out how to do so [[Installing Sysmon on Windows|here.]] ![[wazuh_agent.png]] ## ## Finishing Up At this point, we have: ✅ Graylog Input ready to receive logs ✅ Fluent-bit tailing Wazuh alerts and shipping them over ✅ Wazuh-indexer opened up so Graylog can save those logs ✅ Wazuh-Manager tuned for better security and vulnerability scanning ✅ Agents organized into useful groups with hardened configs And more importantly, we've set the foundation for a _real_, production-quality SIEM. You didn't just connect pieces together. You made sure they talk **securely** (with password auth), you **tuned** your detection coverage to actually spot important behaviors (not just "someone logged in"), and you **enabled proactive protection** with vulnerability scanning. Going forward, you’ll be able to build on this — adding detection rules, dashboards, alerts, even response automation if you want to get fancy. Next time, we’ll look at building out some **Dashboards** in Graylog and starting **Alerting**. That’s where the fun (and the real value) begins. --- ## References >Wazuh Agent Management Documentation: https://documentation.wazuh.com/current/user-manual/agent/agent-management/index.html >socfortress, *Wazuh-Rules*: https://github.com/socfortress/Wazuh-Rules >Taylor Walton, *# Part 3. Wazuh Manager Install — Log Analysis*: https://socfortress.medium.com/part-3-wazuh-manager-install-log-analysis-e819f28b0f9e