Production Ready SIEM Deployment
Distributed Wazuh 4.14.5 SIEM deployment across 13 VMs: a 3 node indexer cluster, server cluster with HAProxy load balancing, and mass agent deployment via Active Directory GPO and Ansible.
Production Ready SIEM Deployment
Project Description
A production style deployment of the Wazuh SIEM platform in a fully distributed, high availability architecture on Ubuntu 22.04. The lab spans 13 VMs and mirrors how Wazuh would be rolled out across a real enterprise fleet.
The core stack runs a 3 node OpenSearch indexer cluster (green, zero unassigned shards), a server cluster with one master and two workers for horizontal event processing, a dedicated dashboard node, and an HAProxy load balancer that distributes agent enrollment and reporting traffic in TCP mode.
Endpoints are onboarded the way they would be in production: Windows hosts join an Active Directory domain and receive the agent through a Group Policy startup script, while Ubuntu hosts are provisioned with Ansible. The deployment is fully documented stage by stage, from OS baseline through final end-to-end validation.
Goals & Objectives
Distributed Indexer Cluster
Deploy a 3 node OpenSearch cluster with replication and zero unassigned shards.
HA Server Cluster
Build 1 master and 2 workers with HAProxy load balancing and verified failover.
Mass Agent Deployment
Push Windows agents via Active Directory GPO and Ubuntu agents via Ansible.
Index Lifecycle & Backup
Configure ISM retention policies and a snapshot repository for backup and restore.
End-to-End Validation
Prove the full pipeline from agent event to searchable alert in the dashboard.
Architecture & Workflow
flowchart TB
subgraph EP["Endpoints"]
DC["windows-ad-dc
192.168.90.121
Active Directory DC"]
W1["win-agent-01
192.168.90.122
group: windows"]
W2["win-agent-02
192.168.90.123
group: windows"]
U1["ubuntu-agent-01
192.168.90.119
group: linux"]
U2["ubuntu-agent-02
192.168.90.120
group: linux"]
end
LB["wazuh-lb-01<br/>192.168.90.112<br/>HAProxy TCP"]
subgraph SRV["Wazuh server cluster"]
M["wazuh-master-01<br/>192.168.90.115<br/>master"]
K1["wazuh-worker-01<br/>192.168.90.116<br/>worker"]
K2["wazuh-worker-02<br/>192.168.90.117<br/>worker"]
end
subgraph IDX["Wazuh indexer cluster"]
I1["wazuh-indexer-01<br/>192.168.90.111"]
I2["wazuh-indexer-02<br/>192.168.90.113"]
I3["wazuh-indexer-03<br/>192.168.90.114"]
end
SNAP["Snapshot repo<br/>/mnt/wazuh-snapshots<br/>ISM: alerts 90d, archives 30d"]
D["wazuh-dashboard-01<br/>192.168.90.118"]
A["Admin / User browser"]
DC -.->|GPO pushes agent| W1
DC -.->|GPO pushes agent| W2
W1 -->|1514 event / 1515 enroll| LB
W2 -->|1514 event / 1515 enroll| LB
U1 -->|1514 event / 1515 enroll| LB
U2 -->|1514 event / 1515 enroll| LB
LB -->|1515 enrollment| M
LB -->|1514 reporting RR| K1
LB -->|1514 reporting RR| K2
M <-->|1516 cluster sync| K1
M <-->|1516 cluster sync| K2
M -->|Filebeat 9200| I1
K1 -->|Filebeat 9200| I2
K2 -->|Filebeat 9200| I3
I1 <-->|9300:9400 transport| I2
I2 <-->|9300:9400 transport| I3
I1 <-->|9300:9400 transport| I3
I1 -.->|snapshot| SNAP
I2 -.->|snapshot| SNAP
I3 -.->|snapshot| SNAP
D -->|9200 search| I1
D -->|55000 API| M
A -->|443 HTTPS| D
Implementation
The deployment followed a strict bottom up order so each layer was validated before the next was built.
Indexer cluster: Three OpenSearch nodes with a shared root CA, per node certificates, and 1 GB heap tuned for 2 GB RAM hosts. Cluster initialized to green with replication across all three.
Server cluster: One master and two workers joined with an identical cluster key over port 1516. Filebeat on each node ships alerts to the indexer over TLS 1.3. The master handles enrollment while workers process the event load.
Load balancer: HAProxy in TCP mode (layer 4) forwards enrollment to the master on 1515 and round-robins reporting across workers on 1514, with health checks that keep both workers in the pool and reroute on failure.
Agent deployment: Windows endpoints joined the lab.local Active Directory domain and received the agent through a GPO startup script pointing at an SMB share. Ubuntu endpoints were provisioned with an Ansible playbook from the master. Centralized agent.conf per group (windows, linux) controls collection.
Operations: ISM policies enforce 90 day alert and 30 day archive retention with rollover. A filesystem snapshot repository was registered on all indexer nodes for backup and restore.
Validation: Triggered failed SSH logins on an agent and confirmed the alerts (rule 5710, 5503) appeared in OpenSearch within seconds, proving the full path: agent collect, worker decode and rule match, Filebeat ship, indexer store, dashboard search.
Tech Stack Used
SIEM platform: server cluster, agents, detection rules
Indexer cluster with replication and ISM
Ships alerts to the indexer over TLS 1.3
Layer 4 load balancer for agent traffic
Domain join and GPO agent push for Windows
Automated Ubuntu agent deployment
Key Features & Deliverables
3 node indexer cluster
Green status, 0 unassigned shards, 100% active shards
Server cluster + HAProxy
Master and 2 workers, load balanced with failover
AD GPO agent deployment
Windows agents pushed via Group Policy startup script
Ansible agent automation
Ubuntu agents provisioned from the master
ISM + snapshots
90 day alert retention, 30 day archive, filesystem backups
Full documentation
Reproducible Stage 0 to Stage 9 deployment guide
Key Metrics
Results & Outcome
A fully operational distributed SIEM with every layer verified working:
- Indexer cluster green across 3 nodes with 0 unassigned shards (100% active shards)
- Server cluster with master and 2 workers in sync, load balanced through HAProxy with verified failover
- 4 agents active (2 Windows via AD GPO, 2 Ubuntu via Ansible) reporting through the load balancer
- End-to-end ingestion confirmed: failed SSH logins surfaced as alerts in OpenSearch within seconds
- ISM retention policies and snapshot backup configured and tested
- Complete stage-by-stage documentation (Stage 0 through Stage 9) reproducible from scratch
The result is a reusable reference architecture that demonstrates high availability, horizontal scaling, and enterprise agent deployment patterns on minimal hardware.
Screenshots & Demo
Endpoint Agent Onboarding and Health Validation
Wazuh endpoint dashboard showing five active agents across Ubuntu and Windows Server 2022 systems. This validates successful agent enrollment, OS visibility, group segmentation, and cluster node assignment across the SIEM deployment.
Wazuh Alert Index and Event Search
Wazuh Discover view showing 3,532 indexed security events in the wazuh-alerts-* index within the last 24 hours. This validates successful log ingestion, event parsing, cluster metadata enrichment, and searchable alert visibility across the SIEM deployment.
Wazuh Cluster Node
Command output confirming a three node Wazuh manager cluster with one master node and two worker nodes running version 4.14.5. This validates cluster membership, node role assignment, and internal manager communication across the SIEM deployment.
Filebeat Test Output
Filebeat test output confirms successful connectivity between the Wazuh manager and the indexer backend. This validates that alert data can be forwarded from the manager node to the OpenSearch/Wazuh indexer pipeline.
Health Check
Health check output confirming that the Wazuh backend services are reachable and responding correctly. This validates service availability, backend readiness, and the operational state of the SIEM deployment components.
Home Page Overview
Wazuh home overview showing the operational status of the SIEM environment, including endpoint visibility, security monitoring access, and centralized dashboard readiness. This validates that the Wazuh dashboard is properly connected to the backend and ready for monitoring activities.
ISM and Snapshot
Configured ISM policy and snapshot mechanism for the Wazuh indexer to manage alert index retention, rollover, and backup readiness. This validates that the SIEM deployment includes index lifecycle control and recovery preparation for long term operations.
IT Hygiene and Endpoint Posture
IT Hygiene view showing endpoint security posture and system visibility across monitored assets. This validates that the SIEM deployment can support asset inventory, configuration review, vulnerability awareness, and operational hygiene monitoring.
Cluster Nodes
Validated a three node Wazuh manager cluster consisting of one master node and two worker nodes. This confirms proper cluster role assignment, manager node registration, version consistency, and distributed SIEM processing readiness.
Interested in This Project?
Discuss your security needs or explore collaboration opportunities.