Wazuh SIEM Cluster

Problems Solved

Wazuh SIEM Cluster provides centralized security monitoring for Yandex Cloud infrastructure and connected hosts. The product addresses the following challenges:

• Real-time threat detection: unauthorized access, deletion of critical resources, mass permission changes, suspicious activity in managed databases
• Collection and analysis of Yandex Cloud audit events via Cloud Logging API integration
• File integrity monitoring, malware detection, and vulnerability analysis on connected agents
• Cluster self-monitoring: indexer health, manager synchronization, TLS certificate expiry

Key Features

High-availability cluster architecture. The cluster consists of 3 indexers (OpenSearch), 1 master manager, 1 dashboard, and N worker managers. Indexers are distributed across three availability zones (ru-central1-a, ru-central1-b, ru-central1-d). The number of workers is specified at deployment time and can be adjusted through the Instance Group.

1274 detection rules for 63 Yandex Cloud services. Complete coverage of Control Plane and Data Plane events: IAM, Compute Cloud, VPC, Object Storage, Managed Databases (ClickHouse, PostgreSQL, MySQL, MongoDB, Redis, Greenplum, Elasticsearch, OpenSearch, Kafka, YDB), Kubernetes, Cloud Functions, DataSphere, Certificate Manager, KMS, Lockbox, Smart Web Security, and more. Severity levels follow the official Wazuh rule classification standard (0-15).

Cloud Logging and Audit Trails integration. A built-in wodle collects audit events from a Cloud Logging log group at 1-minute intervals. Events are deduplicated via a local database and forwarded to the Wazuh analysis engine for rule matching.

Correlation rules. Three rules detect complex attack patterns: mass access binding changes, multiple delete operations within a short period, and repeated unauthorized access attempts (brute-force).

TLS certificate monitoring. The cert-check wodle verifies TLS certificate expiry daily on managers and workers. Alerts are generated 30, 14, and 7 days before expiry.

Advantages

• Production-ready cluster in 8-9 minutes: all components are configured automatically
• Detection rules cover all major Yandex Cloud services, including managed databases, serverless platform, and AI/ML services
• Scalable: worker manager count is adjusted through the Instance Group without recreating the cluster

Preparation

1. Create a Yandex Virtual Private Cloud network and three subnets in availability zones ru-central1-a, ru-central1-b, and ru-central1-d. You may also use existing ones. All subnets must belong to the same VPC network.

2. Create a Yandex Lockbox secret with the admin password:

yc lockbox secret create \
  --name admin-password \
  --payload "[{\"key\": \"password\", \"text_value\": \"YOUR_ADMIN_PASSWORD\"}]"

Note: use strong passwords. Minimum length is 9 characters.

3. Make sure you have an SSH key for VM access.

4. Make sure a Cloud Logging log group with audit events is created for Audit Trails integration.

Installation

• In the management console, select the folder where you want to deploy the application.
• Navigate to Cloud Apps.
• In the left panel, select App Marketplace.
• Select Wazuh and click Use.
• Specify:
  • Resource naming prefix
  • VPC subnet in zone ru-central1-a
  • VPC subnet in zone ru-central1-b
  • VPC subnet in zone ru-central1-d
  • Lockbox secret with the Wazuh admin password
  • SSH public key
  • Number of manager worker nodes (minimum: 1)
  • Yandex Cloud Logging log group ID for audit
  • Select Environment type

• Analyzing the security of cloud resources, including containers.
• Detecting intrusions.
• Identifying vulnerabilities.
• Analyzing logs.
• Monitoring files.
• Evaluating the system configuration.
• Responding to security incidents.
• Performing security compliance checks.
• Analyzing security events in Yandex Cloud.

OpenNix provides technical support to Wazuh users in Yandex Cloud. You can contact their support team by email at support@opennix.ru. Support is available on business days from 9 a.m. to 6 p.m., GMT+3.