Hello, I’m sorry if I say anything foolish, I’m just trying to learn setting up a SIEM stack ( real simple I know /s). I have an idea in my head to take a bunch of docker containers and put them all up in a vm that will be able to handle everything from the SIEM stack. I have a 12 core CPU and a couple terabytes of hard drive space to work with and 64gb of memory. It doesn’t need to be active either, I just want to learn how all the parts work together and fit. My plan was to make the following docker containers:
- Wazuh indexer: indexes all the logs
- Wazuh Manager: ingests logs from some other devices on the network with wazuh agents installed on them. I plan on just having a single server and a workstation hooked to it as an example. It’s a test environment
- Graylog: to standardize the logs and clean them up
- Graphana: for visual dashboards
- A.I. usage through OPENCTI and MISP
- Cortex: case management
- Shuffle: for automation
- Telegraf: to monitor system health
And have them all running on a single Ubuntu vm. I’m not sure if it’ll Crack under all these containers or not or if this would be a good idea to try in the first place. My idea was to make a docker image that had all these parts working together so I could have a pop-up SIEM anywhere I want given enough hardware.
Is this a feasible plan? Would this be enough hardware to try? If not, what would be enough? I got this idea based on what I saw in this video: https://youtu.be/t4EJ98BNcvw?si=pDQdZKebe3eXQyyX
oh and don’t run it all in one image, make one per service and use docker-compose to bring it up