Skip to content

Wazuh SIEM Deployment Project

Critical: Post-ApisCP Migration Only

Wazuh deployment is ONLY planned for NEW ApisCP servers, NOT current cPanel infrastructure.

Reason: Imunify360 (even FREE version) conflicts with Wazuh agents due to both using the /var/ossec directory (OSSEC-based). Current cPanel servers have Imunify360 installed and cannot run Wazuh agents.

Prerequisite: Complete ApisCP migration (Q2-Q3 2026) before beginning Wazuh deployment.

Interim Solution: Grafana + Prometheus + Loki stack deployed in Q1 2026 for infrastructure monitoring. See Grafana Monitoring Project.

Executive Summary

Objective: Deploy Wazuh SIEM on new ApisCP servers for advanced security monitoring, threat detection, and compliance reporting.

Benefits: - Real-Time Threat Detection: Automated security event analysis and alerting - File Integrity Monitoring: Detect unauthorized file modifications - Vulnerability Detection: Automated CVE scanning and remediation tracking - Compliance Reporting: GDPR, PCI DSS, CIS Benchmarks dashboards - Centralised Security: Unified SIEM for all infrastructure - Integration with Grafana: Single pane of glass for infrastructure + security

Timeline: 8-11 weeks (2-3 months) AFTER ApisCP migration completion

Target Deployment: Q3-Q4 2026 (July-December 2026)

Infrastructure Required: Hetzner CPX11 (€4.15/month, ~£43/year) or reuse existing Grafana monitoring server

Project Status: Planning phase - awaiting ApisCP migration completion

Why Wazuh Post-ApisCP Only

The Imunify360 Conflict

Technical Conflict: - Imunify360: Uses /var/ossec directory (OSSEC-based IDS/IPS) - Wazuh: Also uses /var/ossec directory (Wazuh is OSSEC fork) - Result: Package conflict prevents co-installation, even for Wazuh agent-only

Research Findings: - Confirmed via Wazuh GitHub issues and Imunify360 support forums - Even custom directory workarounds (/opt/wazuh-agent) are complex and unsupported - Both systems share the same OSSEC codebase, causing fundamental conflicts

Current cPanel Servers: - eu1.cp: Imunify360 FREE + KernelCare (cannot run Wazuh agent) - ns1: Imunify360 FREE (cannot run Wazuh agent) - ns2: Imunify360 FREE (cannot run Wazuh agent)

New ApisCP Servers: - NO Imunify360 installed (no conflict) - Wazuh agents can be deployed without issues - ApisCP has different security architecture, no need for Imunify360

Two-Phase Monitoring Strategy

Phase 1: Grafana Stack (Q1 2026 - NOW): - Grafana + Prometheus + Loki for infrastructure monitoring - Compatible with current cPanel + Imunify360 environment - Provides immediate visibility and alerting - Foundation for Wazuh integration - Status: See Grafana Monitoring Project

Phase 2: Wazuh SIEM (Q3-Q4 2026 - Post-ApisCP): - Wazuh on NEW ApisCP servers (no Imunify360) - Advanced security event detection and correlation - Integration with existing Grafana dashboards - Unified monitoring across infrastructure and security - Status: This document (planning phase)

Target Architecture

Wazuh + Grafana Unified Monitoring

graph TB
    subgraph "NEW ApisCP Infrastructure - Post-Migration"
        APIS1[ApisCP Server 1<br/>AlmaLinux 10<br/>~15 Client Accounts<br/>NO Imunify360]
        APIS2[ApisCP Server 2<br/>AlmaLinux 10<br/>~15 Client Accounts<br/>NO Imunify360]
        DNS1[DNS Server 1<br/>PowerDNS<br/>AlmaLinux 10]
        DNS2[DNS Server 2<br/>PowerDNS<br/>AlmaLinux 10]
    end

    subgraph "Monitoring Agents - ApisCP Servers"
        NEXPORTER1[Node Exporter<br/>Metrics]
        PROMTAIL1[Promtail<br/>Logs]
        WAZUH1[Wazuh Agent<br/>Security Events]

        NEXPORTER2[Node Exporter<br/>Metrics]
        PROMTAIL2[Promtail<br/>Logs]
        WAZUH2[Wazuh Agent<br/>Security Events]
    end

    subgraph "Existing Monitoring Server"
        GRAFANA[Grafana<br/>Unified Dashboards]
        PROMETHEUS[Prometheus<br/>Infrastructure Metrics]
        LOKI[Loki<br/>Log Aggregation]
    end

    subgraph "NEW Wazuh SIEM Infrastructure"
        WAZUH_MGR[Wazuh Manager<br/>Security Event Processing]
        WAZUH_IDX[Wazuh Indexer<br/>OpenSearch Database]
        WAZUH_DASH[Wazuh Dashboard<br/>Security Visualization]
    end

    APIS1 --> NEXPORTER1
    APIS1 --> PROMTAIL1
    APIS1 --> WAZUH1

    APIS2 --> NEXPORTER2
    APIS2 --> PROMTAIL2
    APIS2 --> WAZUH2

    DNS1 --> WAZUH1
    DNS2 --> WAZUH2

    NEXPORTER1 --> PROMETHEUS
    NEXPORTER2 --> PROMETHEUS
    PROMTAIL1 --> LOKI
    PROMTAIL2 --> LOKI

    WAZUH1 -->|TLS 1514| WAZUH_MGR
    WAZUH2 -->|TLS 1514| WAZUH_MGR

    WAZUH_MGR --> WAZUH_IDX
    WAZUH_IDX --> WAZUH_DASH

    PROMETHEUS --> GRAFANA
    LOKI --> GRAFANA
    WAZUH_IDX -->|Data Source| GRAFANA

    ADMIN[Administrator] -->|HTTPS| GRAFANA
    ADMIN -->|HTTPS Optional| WAZUH_DASH

    style APIS1 fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
    style APIS2 fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
    style DNS1 fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
    style DNS2 fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
    style GRAFANA fill:#f39c12,stroke:#2c3e50,stroke-width:3px,color:#fff
    style WAZUH_MGR fill:#e74c3c,stroke:#2c3e50,stroke-width:2px,color:#fff
    style WAZUH_IDX fill:#e74c3c,stroke:#2c3e50,stroke-width:2px,color:#fff
    style WAZUH_DASH fill:#e74c3c,stroke:#2c3e50,stroke-width:2px,color:#fff

Key Points: - Three data sources: Prometheus (metrics), Loki (logs), Wazuh (security events) - Single interface: Grafana as primary dashboard (Wazuh Dashboard optional) - Unified alerting: All alerts via Grafana Unified Alerting - Correlation capability: Link infrastructure anomalies with security events

Wazuh Capabilities

What Wazuh Provides

1. Security Information and Event Management (SIEM): - Centralised collection and analysis of security events - Real-time threat detection with pre-built rule sets - Correlation of events across multiple servers - Timeline visualization for incident investigation

2. File Integrity Monitoring (FIM): - Monitor critical system files (/etc/, /bin/, /sbin/) - Monitor web application directories (/var/www/, ApisCP sites) - Detect unauthorized file modifications with file diffs - Alert on configuration changes

3. Vulnerability Detection: - Automated CVE scanning of installed packages - Integration with National Vulnerability Database (NVD) - Prioritized vulnerability reporting (Critical/High/Medium/Low) - Remediation tracking and verification

4. Intrusion Detection System (IDS): - Network and host-based intrusion detection - Signature-based and anomaly-based detection - Integration with threat intelligence feeds - Automated blocking of malicious IPs (integration with CSF/firewall)

5. Log Data Analysis: - Parse and analyse logs from all services (Apache, Exim, SSH, etc.) - Pattern matching and correlation - Detect authentication failures, brute force attempts, privilege escalation - Custom rules for application-specific events

6. Compliance and Reporting: - GDPR: Data access monitoring, encryption verification, retention compliance - PCI DSS: If needed for payment processing (complements Stripe/PayPal) - CIS Benchmarks: Security configuration alignment - Automated compliance dashboards and reports

7. Incident Response Integration: - Automated incident creation for high-severity events - Evidence collection and preservation - Integration with existing Incident Response procedures - Active response capabilities (block IPs, isolate compromised accounts)

What Grafana Stack Already Provides

To avoid duplication, understand what's already covered by Grafana + Prometheus + Loki:

Capability Grafana Stack Wazuh SIEM Recommendation
Infrastructure Metrics ✅ Prometheus (excellent) ⚠️ Basic Use Grafana/Prometheus
Log Aggregation ✅ Loki (good) ✅ Excellent (OpenSearch) Use both (Loki for infra, Wazuh for security)
Dashboards ✅ Grafana (best-in-class) ✅ Wazuh Dashboard (good) Primary: Grafana, Secondary: Wazuh Dashboard
Alerting ✅ Grafana Unified Alerting ✅ Wazuh Alerting Use Grafana (unified notifications)
Security Event Detection ⚠️ Manual rules ✅ Automated with ruleset Use Wazuh
File Integrity Monitoring ❌ Not available ✅ Core feature Use Wazuh
Vulnerability Scanning ❌ Not available ✅ Core feature Use Wazuh
Compliance Reporting ⚠️ Manual dashboards ✅ Automated reports Use Wazuh

Conclusion: Wazuh complements Grafana stack, not replaces it. Together they provide complete observability (infrastructure + security).

Deployment Options

Specifications: - Server: Hetzner CPX11 (2 vCPU, 2GB RAM, 40GB SSD) - Components: Wazuh Manager + Indexer + Dashboard (single server) - Suitable For: 4-6 monitored servers, moderate log volume - Cost: €4.15/month (~£43/year) - Complexity: Simple deployment and management

Pros: - Lower cost - Simple architecture - Sufficient for current scale (4 ApisCP/DNS servers) - Easy backup and disaster recovery

Cons: - Limited scalability (>10 servers may require upgrade) - Single point of failure (mitigated by Grafana stack continuing to operate)

Option 2: Separate Wazuh Components

Specifications: - Wazuh Manager: CPX21 (3 vCPU, 4GB RAM) - Wazuh Indexer: CPX21 (3 vCPU, 4GB RAM) - Wazuh Dashboard: CPX11 (2 vCPU, 2GB RAM) - Cost: ~£210/year - Complexity: More complex deployment

Pros: - Better performance under heavy load - Easier horizontal scaling - Component isolation

Cons: - Higher cost (3x servers) - More complex management - Overkill for current scale

Recommendation: Start with Option 1 (All-in-One). Migrate to Option 2 if client count exceeds 50 or log volume becomes unmanageable.

Option 3: Reuse Existing Monitoring Server

Specifications: - Deploy Wazuh containers on existing Grafana monitoring server (CPX31) - Add Wazuh Manager, Indexer, Dashboard containers to existing Docker Compose - Cost: £0 additional (already paying for monitoring server) - Complexity: Moderate (managing more containers)

Pros: - No additional infrastructure cost - Single server to manage - Simplified network configuration

Cons: - Resource contention (Grafana + Prometheus + Loki + Wazuh on same server) - May require monitoring server upgrade to CPX41 if performance issues

Recommendation: Test this approach first (lowest cost). If performance issues arise, move Wazuh to dedicated CPX11.

Deployment Timeline

Prerequisites (Before Starting)

  • Grafana Stack Deployed: Phase 1 monitoring operational (Q1 2026)
  • ApisCP Migration Complete: New ApisCP servers deployed and stable (Q2-Q3 2026)
  • NO Imunify360 on ApisCP Servers: Confirmed no /var/ossec conflict
  • Network Documented: ApisCP server IPs, DNS records, firewall rules documented

Wazuh Deployment Phases

Estimated Start: Q3 2026 (July 2026) - assuming ApisCP migration completes June 2026

gantt
    title Wazuh SIEM Deployment Timeline (Post-ApisCP Migration)
    dateFormat YYYY-MM-DD
    section Prerequisites
    Wait for ApisCP Migration        :milestone, m1, 2026-06-30, 0d
    section Phase 1: Planning
    Pre-deployment Checklist         :p1a, 2026-07-01, 3d
    Provision Wazuh Server           :p1b, after p1a, 2d
    Document Deployment Plan         :p1c, after p1a, 3d
    section Phase 2: Wazuh Installation
    Install Wazuh Manager            :p2a, after p1b, 2d
    Install Wazuh Indexer            :p2b, after p2a, 2d
    Install Wazuh Dashboard          :p2c, after p2b, 1d
    Configure Authentication         :p2d, after p2c, 1d
    Configure Email Alerts           :p2e, after p2d, 1d
    section Phase 3: Agent Deployment
    Deploy Agents - DNS Servers      :p3a, after p2e, 2d
    Test Agent Connectivity          :p3b, after p3a, 1d
    Deploy Agents - ApisCP Servers   :p3c, after p3b, 2d
    Validate All Agents              :p3d, after p3c, 1d
    section Phase 4: Rule Configuration
    Enable Default Rules             :p4a, after p3d, 2d
    Configure FIM                    :p4b, after p4a, 3d
    Create Custom Rules              :p4c, after p4b, 4d
    Tune Alert Thresholds            :p4d, after p4c, 3d
    section Phase 5: Grafana Integration
    Add Wazuh Data Source            :p5a, after p4d, 1d
    Import Wazuh Dashboards          :p5b, after p5a, 2d
    Create Unified Dashboard         :p5c, after p5b, 3d
    Configure Cross-Source Alerts    :p5d, after p5c, 2d
    section Phase 6: Testing
    Comprehensive Testing            :p6a, after p5d, 5d
    Performance Optimization         :p6b, after p6a, 3d
    Documentation Update             :p6c, after p6a, 3d
    section Phase 7: Production Launch
    Production Cutover               :p7a, after p6b, 2d
    Monitor and Tune                 :p7b, after p7a, 7d

Total Timeline: 8-11 weeks (56-77 days)

Target Completion: Q3-Q4 2026 (September-October 2026)

Detailed Phase Breakdown

Phase 1: Planning and Preparation (1 week) - Complete pre-deployment checklist (infrastructure, access, monitoring plan) - Provision Wazuh server (Hetzner CPX11 or reuse monitoring server) - Document deployment plan (update this document with specific configurations) - Review Wazuh documentation and training materials

Phase 2: Wazuh Installation (1 week) - Install Wazuh Manager, Indexer, Dashboard (via Docker or native packages) - Configure basic authentication (admin user, API keys) - Verify web interface accessibility - Configure SMTP for email alerts (reuse existing email configuration) - Set up integration points for Grafana (note Indexer URL for later)

Phase 3: Agent Deployment (1 week) - Install Wazuh agents on DNS servers first (lower risk, simpler configuration) - Test agent connectivity, log shipping, and event generation - Install Wazuh agents on ApisCP hosting servers - Verify all agents reporting correctly to Manager - Troubleshoot any connectivity or firewall issues

Phase 4: Rule Configuration and Tuning (2-3 weeks) - Enable default Wazuh rule sets (SSH, web server, file integrity) - Configure File Integrity Monitoring for critical paths - Create custom rules for ApisCP-specific events - Tune alert thresholds to reduce false positives (most time-consuming phase) - Test rules by simulating various attack scenarios

Phase 5: Grafana Integration (1 week) - Add Wazuh Indexer as Grafana data source (OpenSearch/Elasticsearch type) - Import pre-built Wazuh dashboards into Grafana - Create unified security + infrastructure dashboard - Configure cross-data-source alerts (e.g., high CPU + security event correlation) - Test alert routing through Grafana Unified Alerting

Phase 6: Testing and Optimization (1-2 weeks) - Comprehensive functional testing (simulate attacks, verify detection) - Performance testing (ensure Wazuh server not overloaded) - Documentation updates (operational procedures, troubleshooting guides) - Backup and disaster recovery testing - User training (familiarization with Wazuh UI and Grafana dashboards)

Phase 7: Production Launch (1-2 weeks) - Production cutover (Wazuh as primary security monitoring) - Monitor false positive rate and adjust rules - Gather operational feedback - Iterate on dashboards and alerts based on real-world usage

Integration with Grafana Stack

Adding Wazuh as Grafana Data Source

Configuration Steps:

  1. Add OpenSearch/Elasticsearch Data Source: 

    # In /opt/monitoring-stack/grafana/provisioning/datasources/datasources.yml
- name: Wazuh
  type: elasticsearch
  access: proxy
  url: http://wazuh-indexer:9200
  database: "wazuh-alerts-*"
  isDefault: false
  editable: true
  jsonData:
    esVersion: "7.10.0"
    timeField: "@timestamp"
    logMessageField: "full_log"
    logLevelField: "rule.level"

  2. Restart Grafana Container: 

    docker compose restart grafana

  3. Verify Data Source:

  4. Navigate to Grafana UI → Configuration → Data Sources
  5. Verify "Wazuh" data source shows green "Data source is working"

Unified Dashboard Creation

Example Panels for Unified MDHosting Dashboard:

Row 1: Status Overview - Panel 1: Server Status (Prometheus) - All servers UP? - Panel 2: Security Alert Summary (Wazuh) - Critical/High/Medium/Low counts - Panel 3: Recent Security Events (Wazuh) - Last 10 alerts

Row 2: Infrastructure + Security Correlation - Panel 4: CPU Usage by Server (Prometheus) - Time series - Panel 5: Top Security Events by Type (Wazuh) - Bar chart - Panel 6: Authentication Failures (Wazuh) - Gauge

Row 3: Deep Dive - Panel 7: Network Traffic (Prometheus) - Time series - Panel 8: Intrusion Attempts by IP (Wazuh) - Table - Panel 9: File Integrity Changes (Wazuh) - Log panel

Row 4: Logs and Correlation - Panel 10: Recent Application Logs (Loki) - Log panel - Panel 11: Security Event Timeline (Wazuh) - Time series - Panel 12: Correlated Events (Wazuh + Prometheus) - Custom query

Cross-Data-Source Alerting

Example: Crypto-Mining Detection Alert

# Grafana Alert Rule
name: Possible Crypto-Mining Activity
condition:
  - Query A (Prometheus): avg_over_time(node_cpu_usage[5m]) > 80
  - Query B (Wazuh): rule.level >= 7 AND rule.groups contains "web"
  - Evaluation: IF A AND B within 5-minute window
actions:
  - Send notification: Email Admin
  - Severity: Critical
annotations:
  summary: "High CPU + web security alert on {{ $labels.instance }}"
  description: "Possible crypto-mining: High CPU ({{ $valueA }}%) + security event detected"

Interpretation: If high CPU usage correlates with web security event (e.g., malicious script uploaded), trigger alert for possible crypto-mining malware.

Operational Procedures

Daily Monitoring with Wazuh

Grafana-First Approach (5-10 minutes):

  1. Open Unified Dashboard (Grafana)
  2. Security Alert Summary Panel:
  3. Any Critical/High alerts? Investigate immediately
  4. Medium alerts? Review and triage
  5. Recent Security Events Panel:
  6. Scan last 10 events for unusual patterns
  7. Click event to view full details in Wazuh data source
  8. File Integrity Changes:
  9. Any unexpected file modifications? Investigate
  10. Expected changes (updates, deployments)? Mark as reviewed
  11. Authentication Failures:
  12. Spike in SSH/cPanel/email authentication failures? Investigate source IPs
  13. Check if already blocked by CSF/Fail2Ban
  14. Correlation Check:
  15. High CPU + security event? Investigate for compromise
  16. Disk usage spike + FIM alert? Possible malware or unauthorized file upload

Wazuh Dashboard (Optional, for deep investigation): - Navigate to Wazuh Dashboard (if needed for detailed analysis) - Use Wazuh's specialized views (Security Events, Integrity Monitoring, Vulnerabilities) - Return to Grafana for infrastructure context

Compared to Manual Monitoring: - Before (no SIEM): 15-30 minutes manually reviewing logs, security tools - After (Wazuh + Grafana): 5-10 minutes reviewing unified dashboard - Time Saved: 10-20 minutes per day = 60-140 minutes per week

Incident Investigation with Wazuh

Scenario: Suspected Unauthorized Access

  1. Initial Alert (via Grafana or email):

  2. "Critical: Unauthorized root login from unusual IP"

  3. Grafana Unified Dashboard:

  4. Check "Recent Security Events" panel
  5. Identify alert source: Wazuh rule "5502 - Linux user login from unusual location"

  6. Note: IP address, timestamp, affected server

  7. Wazuh Deep Dive:

  8. Click alert in Grafana → Jump to Wazuh data source

  9. View full event details:

    • Source IP, username, authentication method
    • Previous login history for this user
    • Geo-location of IP (if threat intelligence enabled)

  10. Correlation with Infrastructure:

  11. Switch to Prometheus data in Grafana
  12. Check server resource usage at time of alert

  13. Any unusual CPU/network/disk activity?

  14. Log Analysis:

  15. Switch to Loki data in Grafana
  16. Query: {server="affected-server", job="secure"} |= "unusual-ip-address"

  17. View SSH session activity, commands executed

  18. File Integrity Check:

  19. Wazuh FIM panel in Grafana
  20. Were any files modified after unauthorized access?

  21. Check critical paths: /etc/passwd, /etc/shadow, /root/.ssh/

  22. Response Actions:

  23. If confirmed unauthorized: Follow Incident Response - Unauthorized Access
  24. Block IP (CSF permanent deny)
  25. Force password reset or disable compromised account

  26. Review and remediate any file modifications

  27. Documentation:

  28. Create incident record: INC-YYYY-MM-DD-###
  29. Document timeline (from Wazuh + Grafana data)
  30. Capture evidence (screenshots, log exports)

Efficiency: Wazuh provides immediate detection and context. What previously took 30-60 minutes of manual investigation now takes 10-15 minutes with full evidence trail.

Cost-Benefit Analysis

Total Monitoring Stack Costs

Component Monthly Cost Annual Cost Purpose
Grafana Monitoring Server (CPX31) £12 £144 Grafana + Prometheus + Loki (Phase 1)
Wazuh SIEM Server (CPX11) £3.60 £43 Wazuh Manager + Indexer + Dashboard (Phase 2)
OR: Reuse Monitoring Server £0 £0 Deploy Wazuh on existing server (test first)
Total (Dedicated Wazuh) £15.60 £187 Complete monitoring + security stack
Total (Shared Server) £12 £144 If Wazuh runs on monitoring server

Comparison with Alternatives:

Solution Annual Cost Capabilities
Grafana + Wazuh (Self-Hosted) £144-187 Infrastructure + Security + Compliance
Commercial SIEM (Datadog, Splunk) £600-2,000+ Similar capabilities, SaaS, data egress concerns
Managed SIEM Service £1,200-3,600+ Fully managed, but expensive for small scale
Do Nothing (Manual Only) £0 High operational burden, slow detection, compliance gaps

Value Proposition: - £144-187/year for enterprise-grade monitoring + SIEM - Significant time savings: 10-20 hours/month in manual monitoring - Improved security posture: Real-time threat detection vs. reactive response - Compliance benefits: Automated GDPR/PCI reporting - Incident response: Faster detection and investigation (reduce MTTR)

ROI: Cost pays for itself in ~5-10 hours of saved investigation time per year.

Documentation and Training

Documentation to Create/Update

During Wazuh Deployment:

  1. This Document (wazuh-deployment.md):
  2. Update with actual deployment configuration
  3. Document custom rules created

  4. Add troubleshooting section based on issues encountered

  5. Security Monitoring (../security/monitoring.md):

  6. Update with Wazuh operational procedures
  7. Add Wazuh-specific monitoring workflows

  8. Update alert triage procedures

  9. Incident Response (../security/incident-response.md):

  10. Integrate Wazuh evidence collection procedures
  11. Add Wazuh detection examples to playbooks

  12. Update investigation workflows

  13. Network Architecture (../infrastructure/network-architecture.md):

  14. Add Wazuh server to network diagram
  15. Document firewall rules (port 1514 for agent communication)

  16. Update security zones

  17. Grafana Monitoring (grafana-monitoring.md):

  18. Add Wazuh integration section
  19. Document unified dashboard creation
  20. Update operational procedures

Training Requirements

Administrator Training (3-4 hours):

  1. Wazuh Architecture Understanding (30 minutes):
  2. Manager, Indexer, Dashboard components
  3. Agent communication and data flow

  4. Integration with Grafana stack

  5. Wazuh UI Navigation (1 hour):

  6. Dashboard overview
  7. Security events analysis
  8. Vulnerability management
  9. File integrity monitoring

  10. Compliance reporting

  11. Grafana Unified Dashboard (1 hour):

  12. Navigating unified infrastructure + security dashboard
  13. Querying Wazuh data source
  14. Creating custom panels

  15. Alert rule configuration

  16. Incident Investigation Workflow (1 hour):

  17. Using Wazuh for security event investigation
  18. Correlating with infrastructure metrics (Prometheus)
  19. Log analysis (Loki)

  20. Evidence collection and documentation

  21. Operational Procedures (30 minutes):

  22. Daily monitoring checklist
  23. Weekly security review
  24. Alert triage and escalation
  25. Backup and disaster recovery

Resources: - Wazuh Documentation: https://documentation.wazuh.com - Grafana Documentation: https://grafana.com/docs/grafana/latest/ - MDHosting Internal Docs: This documentation repository

Risks and Mitigations

Risk Impact Probability Mitigation
ApisCP Migration Delayed Wazuh deployment delayed Medium Grafana stack provides monitoring in interim, no critical gap
Imunify360 Accidentally Installed on ApisCP Wazuh conflict, deployment blocked Low Document clearly in ApisCP deployment procedures, verification checklist
Wazuh Performance Issues Alerts delayed, server overload Medium Start with CPX11, monitor resource usage, upgrade to CPX21 if needed
High False Positive Rate Alert fatigue, missed real threats High Extensive tuning phase (2-3 weeks), adjust thresholds iteratively
Integration Complexity Grafana + Wazuh integration fails Low Well-documented process, test in staging first
Resource Constraints Single-operator, limited time Medium Phased deployment, automate where possible, leverage pre-built dashboards
Data Loss (Wazuh Server Failure) Lose historical security events Low Regular backups, Wazuh data not critical (events also in production logs)

Overall Risk Level: Low-Medium (manageable with proper planning and phased approach)

Success Criteria

Technical Success: - [ ] Wazuh Manager, Indexer, Dashboard deployed and operational - [ ] All 4 agents (2x ApisCP, 2x DNS) reporting to Manager - [ ] Grafana data source configured, dashboards displaying Wazuh data - [ ] Alert rules configured with <10% false positive rate - [ ] File Integrity Monitoring active on critical paths - [ ] Vulnerability scanning running weekly

Operational Success: - [ ] Daily monitoring workflow updated and followed - [ ] Incident investigation workflow utilizing Wazuh data - [ ] Administrator trained and comfortable with Wazuh UI + Grafana - [ ] Documentation complete and accurate - [ ] Backup and disaster recovery tested

Business Success: - [ ] Improved Mean Time to Detect (MTTD) for security incidents - [ ] Reduced Mean Time to Respond (MTTR) through better investigation tools - [ ] GDPR compliance reporting automated - [ ] Security posture improved (proactive vs. reactive) - [ ] Time savings: 10+ hours/month in manual monitoring

Future Enhancements

Post-Deployment Improvements:

  1. Active Response Automation:
  2. Automatically block malicious IPs in CSF firewall
  3. Isolate compromised accounts (disable cPanel access)

  4. Quarantine infected files

  5. Threat Intelligence Integration:

  6. Integrate with threat intelligence feeds (AlienVault OTX, etc.)
  7. Enrich alerts with IP reputation data

  8. Identify known malicious actors

  9. Custom Rule Development:

  10. ApisCP-specific detection rules
  11. Client-specific patterns (if offering managed security)

  12. Zero-day threat hunting queries

  13. Extended Monitoring:

  14. Monitor client WordPress sites for specific vulnerabilities
  15. Database query monitoring (slow query detection)

  16. Custom application monitoring

  17. Client-Facing Security Services:

  18. Offer security monitoring as premium service
  19. Client-specific security dashboards

  20. Monthly security reports for business clients

  21. Compliance Expansion:

  22. PCI DSS reporting (if payment processing moves in-house)
  23. ISO 27001 alignment
  24. Additional regulatory frameworks as needed

Prerequisites: - ApisCP Migration Project - Must be completed before Wazuh deployment - Grafana Monitoring Project - Phase 1 monitoring (deploy first)

Integration Points: - Security Monitoring - Current monitoring practices and Wazuh integration - Incident Response - Incident response procedures using Wazuh data - GDPR Compliance - Compliance monitoring with Wazuh - Network Architecture - Network topology and firewall rules

Reference: - Contacts - Vendor contacts and escalation procedures

Document Control

Version History:

Version Date Author Changes
1.0 January 2026 Claude Sonnet 4.5 Initial Wazuh SIEM deployment plan (post-ApisCP migration)

Review Schedule:

  • Pre-Deployment Review: Upon ApisCP migration completion (Q2 2026)
  • Post-Deployment Review: 1 month after Wazuh deployment completion
  • Quarterly Review: Assess effectiveness, rule accuracy, integration success
  • Annual Review: Comprehensive review and update (January each year)

Next Review Date: June 2026 (upon ApisCP migration completion)

Document Status: ✅ Complete - Comprehensive Wazuh SIEM deployment plan Classification: Confidential - Internal Use Only Document Owner: MDHosting Ltd Director (Matthew Dinsdale)

Last updated: January 2026