Hello, I’m sorry if I say anything foolish, I’m just trying to learn setting up a SIEM stack ( real simple I know /s). I have an idea in my head to take a bunch of docker containers and put them all up in a vm that will be able to handle everything from the SIEM stack. I have a 12 core CPU and a couple terabytes of hard drive space to work with and 64gb of memory. It doesn’t need to be active either, I just want to learn how all the parts work together and fit. My plan was to make the following docker containers:

  1. Wazuh indexer: indexes all the logs
  2. Wazuh Manager: ingests logs from some other devices on the network with wazuh agents installed on them. I plan on just having a single server and a workstation hooked to it as an example. It’s a test environment
  3. Graylog: to standardize the logs and clean them up
  4. Graphana: for visual dashboards
  5. A.I. usage through OPENCTI and MISP
  6. Cortex: case management
  7. Shuffle: for automation
  8. Telegraf: to monitor system health

And have them all running on a single Ubuntu vm. I’m not sure if it’ll Crack under all these containers or not or if this would be a good idea to try in the first place. My idea was to make a docker image that had all these parts working together so I could have a pop-up SIEM anywhere I want given enough hardware.

Is this a feasible plan? Would this be enough hardware to try? If not, what would be enough? I got this idea based on what I saw in this video: https://youtu.be/t4EJ98BNcvw?si=pDQdZKebe3eXQyyX

  • keisatsu
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    oh and don’t run it all in one image, make one per service and use docker-compose to bring it up