OpenSearch and Wazuh Integration - Building a Comprehensive Security Analytics Platform#

The integration of OpenSearch with Wazuh creates a powerful, open-source security information and event management (SIEM) platform. This comprehensive guide explores the architecture, implementation details, and best practices for deploying this solution at scale.

Table of Contents#

Architecture Overview#

The OpenSearch-Wazuh stack combines the search and analytics capabilities of OpenSearch with Wazuh’s security monitoring and threat detection features. This integration provides real-time visibility into security events across your infrastructure.

graph TB
    subgraph "Data Sources"
        subgraph "Endpoints"
            Linux[Linux Servers]
            Windows[Windows Servers]
            Network[Network Devices]
            Cloud[Cloud Resources]
            Apps[Applications]
        end
    end

    subgraph "Collection Layer"
        subgraph "Wazuh Agents"
            LA[Linux Agent]
            WA[Windows Agent]
            AL[Agentless]
        end

        subgraph "Log Collectors"
            Syslog[Syslog Collector]
            Beats[Beats/Logstash]
            API[API Collectors]
        end
    end

    subgraph "Processing Layer"
        subgraph "Wazuh Manager Cluster"
            WM1[Wazuh Manager 1<br/>(Master)]
            WM2[Wazuh Manager 2<br/>(Worker)]
            WM3[Wazuh Manager 3<br/>(Worker)]

            subgraph "Manager Components"
                Analysisd[Analysis Engine]
                Remoted[Remote Daemon]
                Monitord[Monitor Daemon]
                Logcollector[Log Collector]
                Integratord[Integration Daemon]
            end
        end

        WazuhAPI[Wazuh API]
        Filebeat[Filebeat]
    end

    subgraph "Storage Layer"
        subgraph "OpenSearch Cluster"
            OS1[OpenSearch Node 1<br/>(Master Eligible)]
            OS2[OpenSearch Node 2<br/>(Master Eligible)]
            OS3[OpenSearch Node 3<br/>(Master Eligible)]
            OS4[OpenSearch Node 4<br/>(Data)]
            OS5[OpenSearch Node 5<br/>(Data)]
            OS6[OpenSearch Node 6<br/>(Ingest)]
        end
    end

    subgraph "Visualization Layer"
        OSD[OpenSearch Dashboards]
        WazuhApp[Wazuh App Plugin]
        Kibana[Alternative: Kibana]
    end

    subgraph "Security Layer"
        Certs[Certificate Authority]
        LDAP[LDAP/AD Integration]
        RBAC[Role-Based Access]
    end

    Linux --> LA
    Windows --> WA
    Network --> Syslog
    Cloud --> API
    Apps --> Beats

    LA --> Remoted
    WA --> Remoted
    AL --> Remoted
    Syslog --> Logcollector
    Beats --> OS6
    API --> Integratord

    Remoted --> Analysisd
    Logcollector --> Analysisd
    Integratord --> Analysisd

    Analysisd --> Monitord
    Monitord --> Filebeat

    WM1 -.->|Cluster Sync| WM2
    WM1 -.->|Cluster Sync| WM3

    Filebeat --> OS6

    OS1 -.->|Cluster| OS2
    OS2 -.->|Cluster| OS3
    OS3 -.->|Cluster| OS4
    OS4 -.->|Cluster| OS5
    OS5 -.->|Cluster| OS6

    OS1 --> OSD
    WazuhAPI --> WazuhApp
    WazuhApp --> OSD

    Certs --> WM1
    Certs --> OS1
    LDAP --> OSD
    RBAC --> WazuhApp

    style WM1 fill:#f96,stroke:#333,stroke-width:4px
    style OS1 fill:#9f9,stroke:#333,stroke-width:4px
    style OSD fill:#99f,stroke:#333,stroke-width:4px

Component Responsibilities#

Wazuh Agents: Collect logs, monitor file integrity, detect rootkits, and perform vulnerability scanning
Wazuh Manager: Process and analyze security events, manage agents, and coordinate responses
OpenSearch: Store and index security data for fast retrieval and analysis
OpenSearch Dashboards: Visualize security data and provide interactive dashboards
Wazuh App: Extend OpenSearch Dashboards with Wazuh-specific features

Data Flow Diagram#

Understanding how data flows through the system is crucial for troubleshooting and optimization:

sequenceDiagram
    participant Agent as Wazuh Agent
    participant Manager as Wazuh Manager
    participant Filebeat as Filebeat
    participant OpenSearch as OpenSearch
    participant Dashboard as OpenSearch Dashboards
    participant User as Security Analyst

    Note over Agent,User: Real-time Event Collection and Processing

    Agent->>Agent: Collect logs/events
    Agent->>Agent: Local analysis

    Agent->>Manager: Send events (1514/tcp)
    Note over Agent,Manager: Encrypted with pre-shared key

    Manager->>Manager: Decode & normalize
    Manager->>Manager: Rule evaluation
    Manager->>Manager: Threat detection

    alt Alert triggered
        Manager->>Manager: Generate alert
        Manager->>Manager: Enrich with context
    end

    Manager->>Manager: Store in local queue
    Manager->>Filebeat: Read alerts.json

    Filebeat->>Filebeat: Parse JSON
    Filebeat->>OpenSearch: Bulk index (9200/tcp)
    Note over Filebeat,OpenSearch: TLS encrypted

    OpenSearch->>OpenSearch: Index documents
    OpenSearch->>OpenSearch: Update mappings

    User->>Dashboard: Access UI (5601/tcp)
    Dashboard->>OpenSearch: Query data
    OpenSearch->>Dashboard: Return results
    Dashboard->>User: Display visualizations

    opt Real-time monitoring
        loop Every 5 seconds
            Dashboard->>OpenSearch: Refresh query
            OpenSearch->>Dashboard: Updated data
            Dashboard->>User: Update display
        end
    end

    opt Active Response
        User->>Dashboard: Trigger response
        Dashboard->>Manager: API call (55000/tcp)
        Manager->>Agent: Execute command
        Agent->>Agent: Perform action
        Agent->>Manager: Report result
    end

Data Processing Pipeline#

1
# Pipeline stages with processing details
2
pipeline:
3
  - stage: collection
4
    components:
5
      - wazuh_agent:
6
          functions:
7
            - log_collection
8
            - file_integrity_monitoring
9
            - system_calls_monitoring
10
            - command_monitoring
11
          output: raw_events
12

13
  - stage: normalization
14
    components:
15
      - wazuh_manager:
16
          functions:
17
            - decode_events
18
            - extract_fields
19
            - normalize_timestamps
20
            - enrich_metadata
21
          output: normalized_events
22

23
  - stage: analysis
24
    components:
25
      - analysis_engine:
26
          functions:
27
            - rule_matching
28
            - correlation
29
            - threat_intelligence
30
            - anomaly_detection
31
          output: alerts
32

33
  - stage: indexing
34
    components:
35
      - opensearch:
36
          functions:
37
            - document_parsing
38
            - field_mapping
39
            - indexing
40
            - replication
41
          output: searchable_data
42

43
  - stage: visualization
44
    components:
45
      - dashboards:
46
          functions:
47
            - query_execution
48
            - aggregation
49
            - visualization
50
            - reporting
51
          output: insights

Security Certificate Chain#

Security is paramount in a SIEM deployment. Here’s how the certificate chain ensures secure communication:

graph TB
    subgraph "Certificate Authority Infrastructure"
        RootCA[Root CA<br/>CN=Wazuh Root CA]
        IntermediateCA[Intermediate CA<br/>CN=Wazuh Intermediate CA]
    end

    subgraph "Server Certificates"
        subgraph "Wazuh Certificates"
            WazuhAPI[Wazuh API<br/>CN=wazuh-api.domain.com]
            WazuhAuth[Wazuh Authd<br/>CN=wazuh-authd.domain.com]
            WazuhCluster[Wazuh Cluster<br/>CN=wazuh-cluster.domain.com]
        end

        subgraph "OpenSearch Certificates"
            OSNode[Node Certificates<br/>CN=os-node-*.domain.com]
            OSAdmin[Admin Certificate<br/>CN=os-admin.domain.com]
            OSTransport[Transport Certificate<br/>CN=os-transport.domain.com]
            OSHTTP[HTTP Certificate<br/>CN=os-http.domain.com]
        end

        subgraph "Dashboard Certificates"
            OSDash[OpenSearch Dashboards<br/>CN=dashboards.domain.com]
            WazuhApp[Wazuh App<br/>CN=wazuh-app.domain.com]
        end
    end

    subgraph "Client Certificates"
        FilebeatCert[Filebeat Client<br/>CN=filebeat.domain.com]
        AgentCert[Agent Certificates<br/>CN=agent-*.domain.com]
        UserCert[User Certificates<br/>CN=user@domain.com]
    end

    RootCA --> IntermediateCA

    IntermediateCA --> WazuhAPI
    IntermediateCA --> WazuhAuth
    IntermediateCA --> WazuhCluster

    IntermediateCA --> OSNode
    IntermediateCA --> OSAdmin
    IntermediateCA --> OSTransport
    IntermediateCA --> OSHTTP

    IntermediateCA --> OSDash
    IntermediateCA --> WazuhApp

    IntermediateCA --> FilebeatCert
    IntermediateCA --> AgentCert
    IntermediateCA --> UserCert

    style RootCA fill:#f96,stroke:#333,stroke-width:4px
    style IntermediateCA fill:#ff9,stroke:#333,stroke-width:2px
    style OSNode fill:#9f9,stroke:#333,stroke-width:2px

Certificate Generation Script#

1
#!/bin/bash
2
# Generate complete certificate chain for Wazuh-OpenSearch deployment
3

4
set -e
5

6
# Configuration
7
CERT_DIR="/etc/wazuh-certificates"
8
DAYS_VALID=3650
9
KEY_SIZE=4096
10
COUNTRY="US"
11
STATE="California"
12
CITY="San Francisco"
13
ORG="Security Organization"
14
OU="Security Operations"
15

16
# Create certificate directory
17
mkdir -p ${CERT_DIR}/{ca,server,client}
18

19
# Generate Root CA
20
echo "Generating Root CA..."
21
openssl genrsa -out ${CERT_DIR}/ca/root-ca-key.pem ${KEY_SIZE}
22
openssl req -new -x509 -sha256 -days ${DAYS_VALID} \
23
    -key ${CERT_DIR}/ca/root-ca-key.pem \
24
    -out ${CERT_DIR}/ca/root-ca.pem \
25
    -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=${OU}/CN=Wazuh Root CA"
26

27
# Generate Intermediate CA
28
echo "Generating Intermediate CA..."
29
openssl genrsa -out ${CERT_DIR}/ca/intermediate-ca-key.pem ${KEY_SIZE}
30
openssl req -new -sha256 \
31
    -key ${CERT_DIR}/ca/intermediate-ca-key.pem \
32
    -out ${CERT_DIR}/ca/intermediate-ca.csr \
33
    -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=${OU}/CN=Wazuh Intermediate CA"
34

35
# Sign Intermediate CA
36
openssl x509 -req -days ${DAYS_VALID} -sha256 \
37
    -in ${CERT_DIR}/ca/intermediate-ca.csr \
38
    -CA ${CERT_DIR}/ca/root-ca.pem \
39
    -CAkey ${CERT_DIR}/ca/root-ca-key.pem \
40
    -CAcreateserial \
41
    -out ${CERT_DIR}/ca/intermediate-ca.pem \
42
    -extensions v3_intermediate_ca \
43
    -extfile <(cat <<EOF
44
[v3_intermediate_ca]
45
subjectKeyIdentifier = hash
46
authorityKeyIdentifier = keyid:always,issuer
47
basicConstraints = critical, CA:true, pathlen:0
48
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
49
EOF
50
)
51

52
# Create certificate chain
53
cat ${CERT_DIR}/ca/intermediate-ca.pem ${CERT_DIR}/ca/root-ca.pem > ${CERT_DIR}/ca/ca-chain.pem
54

55
# Function to generate server certificates
56
generate_server_cert() {
57
    local name=$1
58
    local cn=$2
59
    local san=$3
60

61
    echo "Generating certificate for ${name}..."
62

63
    # Generate private key
64
    openssl genrsa -out ${CERT_DIR}/server/${name}-key.pem ${KEY_SIZE}
65

66
    # Generate CSR
67
    openssl req -new -sha256 \
68
        -key ${CERT_DIR}/server/${name}-key.pem \
69
        -out ${CERT_DIR}/server/${name}.csr \
70
        -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=${OU}/CN=${cn}"
71

72
    # Sign certificate
73
    openssl x509 -req -days ${DAYS_VALID} -sha256 \
74
        -in ${CERT_DIR}/server/${name}.csr \
75
        -CA ${CERT_DIR}/ca/intermediate-ca.pem \
76
        -CAkey ${CERT_DIR}/ca/intermediate-ca-key.pem \
77
        -CAcreateserial \
78
        -out ${CERT_DIR}/server/${name}.pem \
79
        -extensions v3_server \
80
        -extfile <(cat <<EOF
81
[v3_server]
82
subjectKeyIdentifier = hash
83
authorityKeyIdentifier = keyid,issuer
84
basicConstraints = CA:FALSE
85
keyUsage = critical, digitalSignature, keyEncipherment
86
extendedKeyUsage = serverAuth, clientAuth
87
subjectAltName = ${san}
88
EOF
89
)
90

91
    # Create full chain
92
    cat ${CERT_DIR}/server/${name}.pem ${CERT_DIR}/ca/ca-chain.pem > ${CERT_DIR}/server/${name}-chain.pem
93
}
94

95
# Generate OpenSearch node certificates
96
for i in {1..6}; do
97
    generate_server_cert "opensearch-node${i}" \
98
        "opensearch-node${i}.domain.com" \
99
        "DNS:opensearch-node${i}.domain.com,DNS:opensearch-node${i},IP:10.0.1.${i}"
100
done
101

102
# Generate OpenSearch admin certificate
103
generate_server_cert "opensearch-admin" \
104
    "opensearch-admin.domain.com" \
105
    "DNS:opensearch-admin.domain.com,DNS:localhost,IP:127.0.0.1"
106

107
# Generate Wazuh certificates
108
generate_server_cert "wazuh-manager" \
109
    "wazuh-manager.domain.com" \
110
    "DNS:wazuh-manager.domain.com,DNS:wazuh,IP:10.0.2.1"
111

112
generate_server_cert "wazuh-dashboard" \
113
    "wazuh-dashboard.domain.com" \
114
    "DNS:wazuh-dashboard.domain.com,DNS:dashboard,IP:10.0.2.2"
115

116
# Set appropriate permissions
117
chmod 400 ${CERT_DIR}/ca/*-key.pem
118
chmod 400 ${CERT_DIR}/server/*-key.pem
119
chmod 444 ${CERT_DIR}/ca/*.pem
120
chmod 444 ${CERT_DIR}/server/*.pem
121

122
echo "Certificate generation complete!"

Deployment Architecture#

Production Deployment Topology#

graph TB
    subgraph "DMZ"
        LB[Load Balancer<br/>HAProxy/Nginx]
        WAF[Web Application Firewall]
    end

    subgraph "Application Tier"
        subgraph "Wazuh Managers"
            WM1[Wazuh Manager 1<br/>Master Node<br/>10.0.2.1]
            WM2[Wazuh Manager 2<br/>Worker Node<br/>10.0.2.2]
            WM3[Wazuh Manager 3<br/>Worker Node<br/>10.0.2.3]
        end

        subgraph "OpenSearch Dashboards"
            OSD1[Dashboard 1<br/>10.0.3.1]
            OSD2[Dashboard 2<br/>10.0.3.2]
        end
    end

    subgraph "Data Tier"
        subgraph "OpenSearch Cluster"
            subgraph "Master Nodes"
                OSM1[Master 1<br/>10.0.4.1]
                OSM2[Master 2<br/>10.0.4.2]
                OSM3[Master 3<br/>10.0.4.3]
            end

            subgraph "Data Nodes"
                OSD1_data[Data 1<br/>10.0.4.4]
                OSD2_data[Data 2<br/>10.0.4.5]
                OSD3_data[Data 3<br/>10.0.4.6]
                OSD4_data[Data 4<br/>10.0.4.7]
            end

            subgraph "Ingest Nodes"
                OSI1[Ingest 1<br/>10.0.4.8]
                OSI2[Ingest 2<br/>10.0.4.9]
            end
        end
    end

    subgraph "Storage Tier"
        NFS[NFS Storage<br/>Snapshots]
        S3[S3 Compatible<br/>Long-term Storage]
    end

    subgraph "Monitoring"
        Prometheus[Prometheus]
        Grafana[Grafana]
        AlertManager[AlertManager]
    end

    LB --> WAF
    WAF --> OSD1
    WAF --> OSD2

    OSD1 --> OSM1
    OSD2 --> OSM1

    WM1 -.->|Cluster| WM2
    WM2 -.->|Cluster| WM3

    WM1 --> OSI1
    WM2 --> OSI2
    WM3 --> OSI1

    OSM1 -.->|Coordination| OSM2
    OSM2 -.->|Coordination| OSM3

    OSI1 --> OSD1_data
    OSI2 --> OSD2_data

    OSD1_data -.->|Replication| OSD2_data
    OSD2_data -.->|Replication| OSD3_data
    OSD3_data -.->|Replication| OSD4_data

    OSD1_data --> NFS
    OSD1_data --> S3

    Prometheus --> WM1
    Prometheus --> OSM1
    Prometheus --> Grafana
    Grafana --> AlertManager

    style LB fill:#f96,stroke:#333,stroke-width:2px
    style WM1 fill:#9f9,stroke:#333,stroke-width:2px
    style OSM1 fill:#99f,stroke:#333,stroke-width:2px

Installation and Configuration#

OpenSearch Cluster Setup#

1
# opensearch.yml - Master node configuration
2
cluster.name: wazuh-security-cluster
3
node.name: opensearch-master-1
4
node.roles: [master]
5

6
network.host: 10.0.4.1
7
discovery.seed_hosts:
8
  - 10.0.4.1
9
  - 10.0.4.2
10
  - 10.0.4.3
11
cluster.initial_master_nodes:
12
  - opensearch-master-1
13
  - opensearch-master-2
14
  - opensearch-master-3
15

16
# Security settings
17
plugins.security.ssl.transport.pemcert_filepath: certificates/opensearch-node1.pem
18
plugins.security.ssl.transport.pemkey_filepath: certificates/opensearch-node1-key.pem
19
plugins.security.ssl.transport.pemtrustedcas_filepath: certificates/ca-chain.pem
20
plugins.security.ssl.transport.enforce_hostname_verification: true
21
plugins.security.ssl.transport.resolve_hostname: true
22

23
plugins.security.ssl.http.enabled: true
24
plugins.security.ssl.http.pemcert_filepath: certificates/opensearch-node1.pem
25
plugins.security.ssl.http.pemkey_filepath: certificates/opensearch-node1-key.pem
26
plugins.security.ssl.http.pemtrustedcas_filepath: certificates/ca-chain.pem
27

28
plugins.security.allow_unsafe_democertificates: false
29
plugins.security.allow_default_init_securityindex: false
30
plugins.security.authcz.admin_dn:
31
  - "CN=opensearch-admin.domain.com,OU=Security Operations,O=Security Organization,L=San Francisco,ST=California,C=US"
32

33
plugins.security.audit.type: internal_opensearch
34
plugins.security.enable_snapshot_restore_privilege: true
35
plugins.security.check_snapshot_restore_write_privileges: true
36
plugins.security.restapi.roles_enabled:
37
  ["all_access", "security_rest_api_access"]
38

39
# Performance tuning
40
indices.memory.index_buffer_size: 20%
41
indices.queries.cache.size: 15%
42
indices.fielddata.cache.size: 30%
43
thread_pool.search.size: 50
44
thread_pool.search.queue_size: 1000
45
thread_pool.write.size: 30
46
thread_pool.write.queue_size: 500
47

48
# Cluster routing
49
cluster.routing.allocation.disk.threshold_enabled: true
50
cluster.routing.allocation.disk.watermark.low: 85%
51
cluster.routing.allocation.disk.watermark.high: 90%
52
cluster.routing.allocation.disk.watermark.flood_stage: 95%

Wazuh Manager Configuration#

1
<!-- ossec.conf - Wazuh Manager configuration -->
2
<ossec_config>
3
  <global>
4
    <jsonout_output>yes</jsonout_output>
5
    <alerts_log>yes</alerts_log>
6
    <logall>no</logall>
7
    <logall_json>no</logall_json>
8
    <email_notification>no</email_notification>
9
    <smtp_server>smtp.domain.com</smtp_server>
10
    <email_from>wazuh@domain.com</email_from>
11
    <email_to>security@domain.com</email_to>
12
    <email_maxperhour>12</email_maxperhour>
13
    <queue_size>131072</queue_size>
14
  </global>
15

16
  <cluster>
17
    <name>wazuh-cluster</name>
18
    <node_name>wazuh-master</node_name>
19
    <node_type>master</node_type>
20
    <key>5f4dcc3b5aa765d61d8327deb882cf99</key>
21
    <port>1516</port>
22
    <bind_addr>0.0.0.0</bind_addr>
23
    <nodes>
24
      <node>10.0.2.1</node>
25
      <node>10.0.2.2</node>
26
      <node>10.0.2.3</node>
27
    </nodes>
28
    <hidden>no</hidden>
29
    <disabled>no</disabled>
30
  </cluster>
31

32
  <remote>
33
    <connection>secure</connection>
34
    <port>1514</port>
35
    <protocol>tcp</protocol>
36
    <queue_size>131072</queue_size>
37
  </remote>
38

39
  <alerts>
40
    <log_alert_level>3</log_alert_level>
41
    <email_alert_level>7</email_alert_level>
42
  </alerts>
43

44
  <command>
45
    <name>firewall-drop</name>
46
    <executable>firewall-drop</executable>
47
    <timeout_allowed>yes</timeout_allowed>
48
  </command>
49

50
  <active-response>
51
    <command>firewall-drop</command>
52
    <location>local</location>
53
    <level>7</level>
54
    <timeout>600</timeout>
55
  </active-response>
56

57
  <!-- OpenSearch output configuration -->
58
  <integration>
59
    <name>opensearch</name>
60
    <enabled>yes</enabled>
61
    <url>https://10.0.4.8:9200</url>
62
    <username>wazuh_indexer</username>
63
    <password>SecurePassword123!</password>
64
    <indices>
65
      <alerts>wazuh-alerts-*</alerts>
66
      <archives>wazuh-archives-*</archives>
67
    </indices>
68
    <ssl>
69
      <certificate>/etc/wazuh/certificates/wazuh-manager.pem</certificate>
70
      <key>/etc/wazuh/certificates/wazuh-manager-key.pem</key>
71
      <ca>/etc/wazuh/certificates/ca-chain.pem</ca>
72
    </ssl>
73
  </integration>
74
</ossec_config>

Index Lifecycle Management#

graph LR
    subgraph "Index Lifecycle"
        Hot[Hot Phase<br/>0-7 days<br/>Primary shards]
        Warm[Warm Phase<br/>7-30 days<br/>Shrink & merge]
        Cold[Cold Phase<br/>30-90 days<br/>Readonly]
        Delete[Delete Phase<br/>>90 days]
    end

    subgraph "Storage Tiers"
        SSD[SSD Storage<br/>High IOPS]
        HDD[HDD Storage<br/>High capacity]
        S3[S3 Storage<br/>Archive]
    end

    Hot --> Warm
    Warm --> Cold
    Cold --> Delete

    Hot -.-> SSD
    Warm -.-> HDD
    Cold -.-> S3

    style Hot fill:#f96,stroke:#333,stroke-width:2px
    style SSD fill:#9f9,stroke:#333,stroke-width:2px

1
// Index lifecycle policy
2
{
3
  "policy": {
4
    "phases": {
5
      "hot": {
6
        "min_age": "0ms",
7
        "actions": {
8
          "rollover": {
9
            "max_primary_shard_size": "50GB",
10
            "max_age": "7d"
11
          },
12
          "set_priority": {
13
            "priority": 100
14
          }
15
        }
16
      },
17
      "warm": {
18
        "min_age": "7d",
19
        "actions": {
20
          "shrink": {
21
            "number_of_shards": 1
22
          },
23
          "forcemerge": {
24
            "max_num_segments": 1
25
          },
26
          "set_priority": {
27
            "priority": 50
28
          },
29
          "allocate": {
30
            "node_type": "warm"
31
          }
32
        }
33
      },
34
      "cold": {
35
        "min_age": "30d",
36
        "actions": {
37
          "set_priority": {
38
            "priority": 0
39
          },
40
          "freeze": {},
41
          "allocate": {
42
            "node_type": "cold"
43
          },
44
          "searchable_snapshot": {
45
            "snapshot_repository": "s3_repository"
46
          }
47
        }
48
      },
49
      "delete": {
50
        "min_age": "90d",
51
        "actions": {
52
          "delete": {}
53
        }
54
      }
55
    }
56
  }
57
}

Performance Optimization#

Query Performance Tuning#

graph TB
    subgraph "Query Optimization"
        subgraph "Index Design"
            Mapping[Optimized Mappings]
            Sharding[Shard Strategy]
            Replicas[Replica Count]
        end

        subgraph "Query Patterns"
            Filters[Use Filters]
            Aggregations[Efficient Aggregations]
            Scripts[Avoid Scripts]
        end

        subgraph "Caching"
            QueryCache[Query Cache]
            FieldCache[Field Data Cache]
            RequestCache[Request Cache]
        end
    end

    Mapping --> Performance[Query Performance]
    Sharding --> Performance
    Replicas --> Performance

    Filters --> Performance
    Aggregations --> Performance
    Scripts --> Performance

    QueryCache --> Performance
    FieldCache --> Performance
    RequestCache --> Performance

    style Performance fill:#9f9,stroke:#333,stroke-width:2px

Index Template Optimization#

1
// Optimized index template for Wazuh alerts
2
{
3
  "index_patterns": ["wazuh-alerts-*"],
4
  "priority": 100,
5
  "template": {
6
    "settings": {
7
      "number_of_shards": 3,
8
      "number_of_replicas": 1,
9
      "index.refresh_interval": "10s",
10
      "index.translog.durability": "async",
11
      "index.translog.sync_interval": "10s",
12
      "index.codec": "best_compression",
13
      "index.merge.scheduler.max_thread_count": 2,
14
      "index.merge.policy.max_merged_segment": "5gb"
15
    },
16
    "mappings": {
17
      "properties": {
18
        "@timestamp": {
19
          "type": "date",
20
          "format": "date_time_no_millis"
21
        },
22
        "agent": {
23
          "properties": {
24
            "id": {
25
              "type": "keyword"
26
            },
27
            "name": {
28
              "type": "keyword"
29
            },
30
            "ip": {
31
              "type": "ip"
32
            }
33
          }
34
        },
35
        "rule": {
36
          "properties": {
37
            "id": {
38
              "type": "keyword"
39
            },
40
            "level": {
41
              "type": "short"
42
            },
43
            "description": {
44
              "type": "text",
45
              "fields": {
46
                "keyword": {
47
                  "type": "keyword",
48
                  "ignore_above": 256
49
                }
50
              }
51
            }
52
          }
53
        },
54
        "data": {
55
          "type": "object",
56
          "enabled": true
57
        }
58
      }
59
    }
60
  }
61
}

Security Hardening#

Security Architecture Layers#

graph TB
    subgraph "Security Layers"
        subgraph "Network Security"
            FW[Firewall Rules]
            VLAN[VLAN Segmentation]
            VPN[VPN Access]
        end

        subgraph "Application Security"
            TLS[TLS Encryption]
            Auth[Authentication]
            Authz[Authorization]
        end

        subgraph "Data Security"
            EncRest[Encryption at Rest]
            EncTransit[Encryption in Transit]
            DataMask[Data Masking]
        end

        subgraph "Operational Security"
            Audit[Audit Logging]
            Monitor[Security Monitoring]
            Response[Incident Response]
        end
    end

    FW --> SecureStack[Secure Stack]
    VLAN --> SecureStack
    VPN --> SecureStack

    TLS --> SecureStack
    Auth --> SecureStack
    Authz --> SecureStack

    EncRest --> SecureStack
    EncTransit --> SecureStack
    DataMask --> SecureStack

    Audit --> SecureStack
    Monitor --> SecureStack
    Response --> SecureStack

    style SecureStack fill:#f96,stroke:#333,stroke-width:2px

Security Configuration#

1
_meta:
2
  type: "config"
3
  config_version: 2
4

5
config:
6
  dynamic:
7
    http:
8
      anonymous_auth_enabled: false
9
      xff:
10
        enabled: true
11
        internalProxies: '10\\.0\\.0\\.0/8'
12
        remoteIpHeader: "x-forwarded-for"
13

14
    authc:
15
      internal_auth:
16
        description: "Internal users"
17
        http_enabled: true
18
        transport_enabled: true
19
        order: 0
20
        http_authenticator:
21
          type: basic
22
          challenge: true
23
        authentication_backend:
24
          type: internal
25

26
      ldap_auth:
27
        description: "LDAP authentication"
28
        http_enabled: true
29
        transport_enabled: true
30
        order: 1
31
        http_authenticator:
32
          type: basic
33
          challenge: false
34
        authentication_backend:
35
          type: ldap
36
          config:
37
            enable_ssl: true
38
            enable_start_tls: false
39
            enable_ssl_client_auth: false
40
            verify_hostnames: true
41
            hosts:
42
              - ldap.domain.com:636
43
            bind_dn: "cn=admin,dc=domain,dc=com"
44
            password: "ldap_password"
45
            userbase: "ou=users,dc=domain,dc=com"
46
            usersearch: "(sAMAccountName={0})"
47
            username_attribute: "sAMAccountName"
48

49
    authz:
50
      roles_from_myldap:
51
        description: "LDAP authorization"
52
        http_enabled: true
53
        transport_enabled: true
54
        authorization_backend:
55
          type: ldap
56
          config:
57
            enable_ssl: true
58
            enable_start_tls: false
59
            enable_ssl_client_auth: false
60
            verify_hostnames: true
61
            hosts:
62
              - ldap.domain.com:636
63
            bind_dn: "cn=admin,dc=domain,dc=com"
64
            password: "ldap_password"
65
            rolebase: "ou=groups,dc=domain,dc=com"
66
            rolesearch: "(member={0})"
67
            userroleattribute: null
68
            userrolename: "memberOf"
69
            rolename: "cn"
70
            resolve_nested_roles: true
71
            skip_users:
72
              - "kibanaserver"
73
              - "admin"

Monitoring and Alerting#

Monitoring Architecture#

graph TB
    subgraph "Metrics Collection"
        WazuhMetrics[Wazuh Metrics]
        OSMetrics[OpenSearch Metrics]
        NodeMetrics[Node Exporter]
        ProcessMetrics[Process Exporter]
    end

    subgraph "Processing"
        Prometheus[Prometheus Server]
        AlertManager[Alert Manager]
    end

    subgraph "Visualization"
        Grafana[Grafana]
        StatusPage[Status Page]
    end

    subgraph "Alerting Channels"
        Email[Email]
        Slack[Slack]
        PagerDuty[PagerDuty]
        Webhook[Webhooks]
    end

    WazuhMetrics --> Prometheus
    OSMetrics --> Prometheus
    NodeMetrics --> Prometheus
    ProcessMetrics --> Prometheus

    Prometheus --> AlertManager
    Prometheus --> Grafana

    AlertManager --> Email
    AlertManager --> Slack
    AlertManager --> PagerDuty
    AlertManager --> Webhook

    Grafana --> StatusPage

    style Prometheus fill:#f96,stroke:#333,stroke-width:2px
    style Grafana fill:#9f9,stroke:#333,stroke-width:2px

Key Performance Indicators#

1
# Prometheus alert rules
2
groups:
3
  - name: wazuh_alerts
4
    interval: 30s
5
    rules:
6
      - alert: WazuhManagerDown
7
        expr: up{job="wazuh-manager"} == 0
8
        for: 5m
9
        labels:
10
          severity: critical
11
        annotations:
12
          summary: "Wazuh Manager is down"
13
          description: "Wazuh Manager {{ $labels.instance }} has been down for more than 5 minutes."
14

15
      - alert: HighAlertRate
16
        expr: rate(wazuh_alerts_total[5m]) > 100
17
        for: 10m
18
        labels:
19
          severity: warning
20
        annotations:
21
          summary: "High alert rate detected"
22
          description: "Alert rate is {{ $value }} alerts/sec"
23

24
  - name: opensearch_alerts
25
    interval: 30s
26
    rules:
27
      - alert: OpenSearchClusterRed
28
        expr: opensearch_cluster_health_status{color="red"} == 1
29
        for: 5m
30
        labels:
31
          severity: critical
32
        annotations:
33
          summary: "OpenSearch cluster is RED"
34
          description: "OpenSearch cluster health is RED for more than 5 minutes"
35

36
      - alert: HighJVMMemoryUsage
37
        expr: opensearch_jvm_memory_used_bytes / opensearch_jvm_memory_max_bytes > 0.9
38
        for: 10m
39
        labels:
40
          severity: warning
41
        annotations:
42
          summary: "High JVM memory usage"
43
          description: "JVM memory usage is {{ $value | humanizePercentage }}"

Disaster Recovery#

Backup and Recovery Strategy#

graph TB
    subgraph "Backup Components"
        subgraph "Configuration"
            WazuhConf[Wazuh Config]
            OSConf[OpenSearch Config]
            Rules[Custom Rules]
            Decoders[Custom Decoders]
        end

        subgraph "Data"
            Indices[OpenSearch Indices]
            Snapshots[Snapshots]
            Logs[Raw Logs]
        end

        subgraph "State"
            AgentKeys[Agent Keys]
            ClusterState[Cluster State]
            UserData[User Data]
        end
    end

    subgraph "Backup Storage"
        Local[Local Backup]
        Remote[Remote Storage]
        Cloud[Cloud Storage]
    end

    subgraph "Recovery Process"
        Restore[Restore Process]
        Validate[Validation]
        Failover[Failover]
    end

    WazuhConf --> Local
    OSConf --> Local
    Rules --> Local
    Decoders --> Local

    Indices --> Snapshots
    Snapshots --> Remote
    Logs --> Cloud

    AgentKeys --> Local
    ClusterState --> Remote
    UserData --> Remote

    Local --> Restore
    Remote --> Restore
    Cloud --> Restore

    Restore --> Validate
    Validate --> Failover

    style Snapshots fill:#f96,stroke:#333,stroke-width:2px
    style Restore fill:#9f9,stroke:#333,stroke-width:2px

Automated Backup Script#

1
#!/bin/bash
2
# Automated backup script for Wazuh-OpenSearch stack
3

4
set -e
5

6
# Configuration
7
BACKUP_DIR="/backup"
8
S3_BUCKET="s3://wazuh-backups"
9
RETENTION_DAYS=30
10
DATE=$(date +%Y%m%d-%H%M%S)
11

12
# Create backup directories
13
mkdir -p ${BACKUP_DIR}/{wazuh,opensearch,config}/${DATE}
14

15
# Backup Wazuh configuration
16
echo "Backing up Wazuh configuration..."
17
tar czf ${BACKUP_DIR}/wazuh/${DATE}/wazuh-config.tar.gz \
18
    /var/ossec/etc \
19
    /var/ossec/rules \
20
    /var/ossec/decoders \
21
    /var/ossec/lists
22

23
# Backup Wazuh agent keys
24
echo "Backing up agent keys..."
25
cp /var/ossec/etc/client.keys ${BACKUP_DIR}/wazuh/${DATE}/
26

27
# Backup OpenSearch configuration
28
echo "Backing up OpenSearch configuration..."
29
tar czf ${BACKUP_DIR}/opensearch/${DATE}/opensearch-config.tar.gz \
30
    /etc/opensearch \
31
    /usr/share/opensearch/config
32

33
# Create OpenSearch snapshot
34
echo "Creating OpenSearch snapshot..."
35
curl -X PUT "https://localhost:9200/_snapshot/backup_repo/${DATE}?wait_for_completion=true" \
36
    -H 'Content-Type: application/json' \
37
    -u admin:admin \
38
    --cacert /etc/opensearch/ca.pem \
39
    -d '{
40
      "indices": "wazuh-*",
41
      "include_global_state": true,
42
      "metadata": {
43
        "taken_by": "automated_backup",
44
        "taken_because": "scheduled_backup"
45
      }
46
    }'
47

48
# Sync to S3
49
echo "Syncing to S3..."
50
aws s3 sync ${BACKUP_DIR}/ ${S3_BUCKET}/ --exclude "*.tmp"
51

52
# Clean up old local backups
53
echo "Cleaning up old backups..."
54
find ${BACKUP_DIR} -type d -mtime +${RETENTION_DAYS} -exec rm -rf {} \;
55

56
# Verify backup
57
echo "Verifying backup..."
58
if aws s3 ls ${S3_BUCKET}/${DATE}/ > /dev/null 2>&1; then
59
    echo "Backup completed successfully"
60
else
61
    echo "Backup verification failed"
62
    exit 1
63
fi
64

65
# Send notification
66
curl -X POST https://slack.webhook.url \
67
    -H 'Content-Type: application/json' \
68
    -d "{\"text\":\"Wazuh-OpenSearch backup completed successfully for ${DATE}\"}"

Troubleshooting Guide#

Common Issues and Solutions#

Component	Issue	Symptoms	Solution
Wazuh Agent	Connection Failed	`Unable to connect to manager`	Check firewall rules, verify authd service, regenerate agent key
OpenSearch	Cluster Red Status	Unassigned shards	Check disk space, verify node connectivity, force shard allocation
Filebeat	Pipeline Blocked	High memory usage	Increase queue size, check OpenSearch performance
Dashboard	Login Failed	Authentication error	Verify certificates, check user permissions, review auth logs
Integration	No Data Flow	Empty indices	Check Filebeat configuration, verify index patterns

Debug Commands#

1
# Wazuh Manager debugging
2
/var/ossec/bin/wazuh-control info
3
/var/ossec/bin/wazuh-control status
4
tail -f /var/ossec/logs/ossec.log
5

6
# Check cluster status
7
/var/ossec/bin/cluster_control -l
8

9
# OpenSearch cluster health
10
curl -X GET "https://localhost:9200/_cluster/health?pretty" \
11
    -u admin:admin --cacert /etc/opensearch/ca.pem
12

13
# Check indices
14
curl -X GET "https://localhost:9200/_cat/indices?v" \
15
    -u admin:admin --cacert /etc/opensearch/ca.pem
16

17
# Filebeat status
18
systemctl status filebeat
19
filebeat test config
20
filebeat test output
21

22
# Certificate validation
23
openssl x509 -in /path/to/cert.pem -text -noout
24
openssl verify -CAfile ca.pem cert.pem

Best Practices#

Deployment Checklist#

Scaling Considerations#

graph LR
    subgraph "Scaling Dimensions"
        Vertical[Vertical Scaling<br/>More resources]
        Horizontal[Horizontal Scaling<br/>More nodes]
        Functional[Functional Scaling<br/>Dedicated roles]
    end

    subgraph "Scaling Triggers"
        CPU[CPU > 80%]
        Memory[Memory > 85%]
        Storage[Storage > 85%]
        Latency[Query Latency > 1s]
    end

    CPU --> Vertical
    Memory --> Vertical
    Storage --> Horizontal
    Latency --> Functional

    style Horizontal fill:#9f9,stroke:#333,stroke-width:2px

Conclusion#

The integration of OpenSearch with Wazuh creates a powerful, scalable, and secure SIEM platform capable of handling enterprise-scale security monitoring requirements. The architecture provides:

Scalability: Horizontal scaling capabilities for both processing and storage
High Availability: Clustered components with automatic failover
Security: End-to-end encryption and comprehensive access control
Performance: Optimized data flow and query performance
Flexibility: Customizable rules, decoders, and dashboards

By following the architectural patterns, security practices, and operational procedures outlined in this guide, organizations can build a robust security analytics platform that provides real-time visibility into their security posture while maintaining the performance and reliability required for production environments.