Looking over you layout , it looks good but Graylog from version 4.3 → 5 will be using Opensearch which is a fork from Elasticsearch. I have not worked with Wazuh to see if its compatable with Graylog after 5.0.
As Wazuh Indexer is a Fork from OpenSearch, I am quite sure I saw somewhere the Compatability Matrix, I will look for it tomorow and post it here. If GL is not compatible with it, then we just use OpenSearch I guess.
In that case - then the first 3 Machines I wrote, so indexer01,02,03 will just be the 3 machines for Opensearch1, 2, 3 ?
Also, more important please, I just read again several mongoDB Docs but still am not sure about the Replica.
As you can see in my List, there are 3 GL Servers, which AFAIK each should have a MongoDB instance inside.
In addition, I also planned 3 Machines for 3 Replicas.
Is that correct? I mean - ReplicaSet01 is all the time replicated from the MongoDB Instance inside my GrayLog Server 01?
To add the other three you would need to find you primary MongoDb node and add them.
# Edit the Mongo configuration file.
# Edit the following values in mongod.conf.
# Replace mongo-node-1.domain.com with the fully qualified domain name of the current Mongo node, and mongoReplicaSet with your own.
# Enter the following command to create the replica set.
# Enter the following command to add other nodes, where the other node is named,
# for example, "mongo-node-2" and the domain is domain.com.
If you need all 6 MongoDb instance to work together (cluster) then there will be a primary and secondary instances.
OR if those Graylog server /w Mongo are separtate and your trying to use the replicate set for backup you may want to rethink you layout. It’s possible you could use a different database name for each one of the individual Graylog servers i.e., graylog1.db, graylog2.db,etc…
Sure why not, so far the integration looks good, I am getting what I was looking to deploy.
user do message my personal message I replied with the environment that I am running
if required happy to help. it also helps different views of how people look to deploy.
Wazuh is a very enriched Platform, SIEM/EDR and more. I actually used it in the past and was very happy with. The list is huge but basically deploy Wazuh on Agents, forward the Logs, FIM, Inventory, CVE Detection and much more.
Regarding the Hive5, yes i know, thanks, we should get a License soon .
Thanks for your answer.
I have built and managed a SOC in the government environment for several years and know the ups and downs
I had deployed QRadar as a large distributed system. At some point I stopped having fun with a closed proprietary system. The setting consisted of QRadar, TheHive, OpenCTI, MISP, OTRS and a lot of hand made (python-)applications.