reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions

Deploy Wazuh SIEM for centralized security monitoring #35

New issue
Open
opened 2026-05-05 17:52:02 -05:00 by pjennings · 0 comments
pjennings commented 2026-05-05 17:52:02 -05:00
Owner
Copy link

Overview

Deploy Wazuh as the centralized security monitoring and intrusion detection platform for the entire Reinitialized Infrastructure fleet.

Why Wazuh

  • Open-source SIEM + XDR with no licensing costs
  • Lightweight agents for all NixOS VMs and Docker hosts
  • Built-in rules for common attacks, misconfigurations, compliance violations
  • Works with Docker, nginx, Stalwart, Authentik
  • Real-time alerting for security events

Phase 1: Wazuh Manager Deployment

  • Deploy Wazuh manager on apps1 or dedicated VM
  • Configure Wazuh indexer (OpenSearch) for log storage
  • Configure Wazuh dashboard for visualization
  • Docker Compose deployment (consistent with existing stack)

Phase 2: Agent Deployment

  • Install Wazuh agents on all NixOS hosts (rp1, apps1, apps2, apps3, gs1, ai1, db1, devenv)
  • Configure agents to report to Wazuh manager
  • Verify agent connectivity and heartbeat

Phase 3: Detection Rules

  • SSH brute-force detection
  • File integrity monitoring (FIM) on /etc, /nix/store
  • Docker container monitoring
  • Log collection: Stalwart, Authentik, Nginx, Technitium, system auth
  • Vulnerability detection (CVE scanning)

Phase 4: Alerting and Response

  • Alert levels: email, webhook, dashboard
  • Integration with Matrix/Discord notifications
  • Custom rules for infrastructure-specific events
  • Incident response procedures documented

Architecture

Wazuh Manager -> Wazuh Indexer (OpenSearch) -> Wazuh Dashboard (Web UI)
|
| Agent protocol (port 1514/1515)
|
+-- rp1 agent
+-- apps1 agent
+-- apps2 agent
+-- ai1 agent
+-- db1 agent
+-- ... all NixOS hosts

Acceptance Criteria

  • Wazuh manager deployed and accessible via dashboard
  • Agents running on all infrastructure hosts
  • SSH brute-force alerts working
  • File integrity monitoring active
  • Docker container events captured
  • Mail/SSO/DNS logs being ingested
  • Alert notifications configured
  • Documentation in docs/

References

## Overview Deploy Wazuh as the centralized security monitoring and intrusion detection platform for the entire Reinitialized Infrastructure fleet. ## Why Wazuh - Open-source SIEM + XDR with no licensing costs - Lightweight agents for all NixOS VMs and Docker hosts - Built-in rules for common attacks, misconfigurations, compliance violations - Works with Docker, nginx, Stalwart, Authentik - Real-time alerting for security events ## Phase 1: Wazuh Manager Deployment - Deploy Wazuh manager on apps1 or dedicated VM - Configure Wazuh indexer (OpenSearch) for log storage - Configure Wazuh dashboard for visualization - Docker Compose deployment (consistent with existing stack) ## Phase 2: Agent Deployment - Install Wazuh agents on all NixOS hosts (rp1, apps1, apps2, apps3, gs1, ai1, db1, devenv) - Configure agents to report to Wazuh manager - Verify agent connectivity and heartbeat ## Phase 3: Detection Rules - SSH brute-force detection - File integrity monitoring (FIM) on /etc, /nix/store - Docker container monitoring - Log collection: Stalwart, Authentik, Nginx, Technitium, system auth - Vulnerability detection (CVE scanning) ## Phase 4: Alerting and Response - Alert levels: email, webhook, dashboard - Integration with Matrix/Discord notifications - Custom rules for infrastructure-specific events - Incident response procedures documented ## Architecture Wazuh Manager -> Wazuh Indexer (OpenSearch) -> Wazuh Dashboard (Web UI) | | Agent protocol (port 1514/1515) | +-- rp1 agent +-- apps1 agent +-- apps2 agent +-- ai1 agent +-- db1 agent +-- ... all NixOS hosts ## Acceptance Criteria - Wazuh manager deployed and accessible via dashboard - Agents running on all infrastructure hosts - SSH brute-force alerts working - File integrity monitoring active - Docker container events captured - Mail/SSO/DNS logs being ingested - Alert notifications configured - Documentation in docs/ ## References - Wazuh Documentation: https://documentation.wazuh.com/ - Wazuh Docker: https://documentation.wazuh.com/current/deployment-options/docker/index.html - Related: Security audit issues #9-#30 - Related: docs/network-scan-2026-05-05.md
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
indev
No results found.
Labels
Clear labels   
area:documentation

Documentation, inventory, runbooks

  
area:infrastructure

Infrastructure services and hardware

  
area:network

Network, firewall, and connectivity

  
area:security

Security vulnerabilities and findings

  
priority:critical

Fix immediately — active risk

  
priority:high

Fix within 1-2 weeks

  
priority:low

Backlog — hardening and best practices

  
priority:medium

Fix within 1 month

  
status:blocked

Blocked on dependency or decision

  
type:bug

Misconfiguration or broken behavior

  
type:deployment

New service or system deployment

  
type:enhancement

Improvement or hardening

  
type:investigation

Needs research or identification

No labels
area:documentation
area:infrastructure
area:network
area:security
priority:critical
priority:high
priority:low
priority:medium
status:blocked
type:bug
type:deployment
type:enhancement
type:investigation
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
reinitialized.net/infrastructure#35
No description provided.