Wazuh with Quickwit backend

[zbalkan]

Hi. I am currently using Wazuh as SIEM with OpenSearch as the log database. Yet, the default OpenSearch implementation does not provide immutable indices and it is not easy to set it up without a third party. I am wondering if I can replace OpenSearch instance with Quickwit. Do you have a documentation, article, or tutorial for that?

[fmassot]

Hi @zbalkan, this is a great question, and last year I looked at Wazuh to see if there was an opportunity to use Quickwit for log storage. And the answer is that this subject can be quite complicated and when you open it, you don't know when you will close it :/

Do you have a documentation, article, or tutorial for that?

Simple answer: no.

Complex answer: currently no but maybe in the future, if Quickwit has a better compatibility with OpenSearch API and supports alerting (though I'm not sure if Wazuh uses the alerting feature of elastic). We would need to list all OpenSearch features that Wazuh requires to have a more relevant answer to your question.

I think the first step would be to deeper understand how Wazuh is using OpenSearch (API surface). Possible steps are:

• ask the Wazuh team about plugging another storage backend for logs, they certainly have thought about that and possibly can provide some guidance
• if you have a good understanding of Wazuh, having a discussion with you and see if there is some hacks to plug quickwit into Wazuh.

[zbalkan]

Hi @fmassot,

Thank you for the detailed response. I wish I was that knowledgeable in Wazuh but I am a recent user who is searching for better options.

I asked Wazuh team here and there about the immutable indices and couldn't get a satisfying response. I created an issue with the hope that it can spark some discussions.