Wazuh for Incident Detection: Design and Implementation
摘要
Security information and event management (SIEM) systems are essential components in modern cybersecurity operations, enabling centralised log aggregation, threat detection, and incident response. This paper presents the design, implementation, and validation of a fully distributed, open-source SIEM architecture based on the Wazuh platform, chosen after a comparative analysis of the main open-source alternatives. The proposed project integrates redundant managers, indexers, and load balancers into a highly available ecosystem, ensuring uninterrupted log ingestion and agent persistence during component failures. Robustness was achieved through efficient distribution of indexes with replicas and shards, continuous failover through VIP management, and the ability to handle operational ingestion spikes significantly above the average events per second (EPS) rate, validating scalability concerning industry expectations. Flexibility was ensured through unrestricted integration of multiple log sources, development of custom decoders and detection rules, and seamless interoperability with other open-source tools, advantages often restricted in commercial solutions. The tests confirmed resilience, scalability, and operational efficiency, although limitations remain: large-scale stress tests with the full number of planned agents and quantitative measurements of detection accuracy were not performed. Future work will address these gaps by conducting comprehensive performance evaluations, integrating open-source threat intelligence platforms, and refining correlation rules to improve detection and reduce false positives. The results demonstrate that, with the right architecture choices, open-source SIEM solutions can match and, in certain respects, surpass the robustness and flexibility of commercial platforms, offering a cost-effective and adaptable alternative for complex security environments.