SIEM-as-a-Service for Private Clouds: Operational Characterization of aWazuh Deployment Under SSH Brute-Force Workloads
Resumo
A crescente sofisticação dos ciberataques e a complexidade operacional cada vez maior das infraestruturas de nuvem privada intensificaram a necessidade de monitoramento contínuo e confiável de serviços distribuídos. Nesses ambientes, o gerenciamento eficaz de eventos de segurança depende da coleta, transporte e correlação oportunos de logs heterogêneos em múltiplos hosts e camadas, incluindo máquinas virtuais, contêineres e serviços em rede. Este artigo apresenta uma implementação reproduzível de SIEM como serviço para nuvens privadas baseada na plataforma Wazuh, conteinerizada com Docker Compose e instrumentada com Prometheus e Grafana para fornecer observabilidade operacional de ponta a ponta. Para testar a capacidade do pipeline de ingestão e correlação sob condições adversárias realistas, geramos ataques de força bruta distribuídos via SSH usando atacantes simultâneos e intervalos de tempo entre chegadas variáveis, modelados por um processo exponencial. O sistema é avaliado sob um projeto experimental multifatorial que varia tanto a intensidade do ataque quanto a alocação de recursos do servidor, permitindo uma análise sistemática do comportamento de geração de alertas e das métricas operacionais, incluindo utilização da CPU e volume de alertas. Os resultados obtidos em nove cenários experimentais indicam que a configuração com 8 vCPUs e 16 GB de RAM proporciona o comportamento mais estável, combinando alta capacidade de alerta com utilização de recursos regular e previsível. Essas descobertas oferecem uma base prática para dimensionamento de implantações SIEM locais e destacam a importância do provisionamento com base em condições adversas máximas, em vez da carga de trabalho média.Referências
Adabi Raihan, M., Sukarno, P., and Wardana, A. A. (2023). Integrated security information and event management (siem) with intrusion detection system (ids) for live analysis based on machine learning. Procedia Computer Science, 217:1406–1415.
Ahmadi, S. (2024). Systematic literature review on cloud computing security: Threats and mitigation strategies. Journal of Information Security, 15:148–167.
Amami, R., Charfeddine, M., and Masmoudi, S. (2024). Exploration of open source siem tools and deployment of an appropriate wazuh-based solution for strengthening cyberdefense. In 10th International Conference on Control, Decision and Information Technologies (CoDIT), pages 1–7.
Chauhan, M. and Shiaeles, S. (2023). An analysis of cloud security frameworks, problems and proposed solutions. Network, 3(3):422–450.
Hydra (2023). Hydra tool documentation - vr. 9.6 - 2023. Available at: [link]. Accessed: Aug. 28, 2025.
Kumar, S., Rajlingam, A., and Gokila, B. (2023). Study analysis of cloud security challenges and issues in cloud computing technologies. Journal of Science, Computing and Engineering Research, 6(8):6–11.
Liu, Y., Da Silva, I., and Joshi, R. (2019). Modeling adversarial network traffic with stochastic arrival processes. Computer Networks.
López Velásquez, J., Martínez Monterrubio, S., Sánchez Crespo, L., et al. (2023). Systematic review of siem technology: Siem-sc birth. International Journal of Information Security, 22:691–711.
Moiz, S., Majid, A., Basit, A., Ebrahim, M., Abro, A. A., and Naeem, M. (2024). Security and threat detection through cloud-based wazuh deployment. In IEEE 1st Karachi Section Humanitarian Technology Conference (KHI-HTC), pages 1–5.
Paxson, V. and Floyd, S. (1995). Wide-area traffic: The failure of poisson modeling. IEEE/ACM Transactions on Networking.
Rabbani, M., Gui, J., Nejati, F., Zhou, Z., Kaniyamattam, A., Mirani, M., Piya, G., Opushnyev, I., Lu, R., and Ghorbani, A. (2024). Device identification and anomaly detection in iot environments. IEEE Internet of Things Journal, 12(10):13625–13643.
Sheeraz, M., Durad, M. H., Paracha, M. A., Mohsin, S. M., Kazmi, S. N., and Maple, C. (2024). Revolutionizing siem security: An innovative correlation engine design for multi-layered attack detection. Sensors, 24(15):4901.
Singh, V. et al. (2023). Brutector: A probabilistic detection model for bruteforce attacks in ssh server. In 16th International Conference on Security of Information and Networks (SIN), pages 1–8.
Tuyishime, E., Balan, T. C., Cotfas, P. A., Cotfas, D. T., and Rekeraho, A. (2023). Enhancing cloud security—proactive threat monitoring and detection using a siem-based approach. Applied Sciences, 13(22):12359.
Yaker, K., Ait Salem, B., Pierard, B., AitSaadi, N., and Raynal, V. (2024). A novel edge siem for industrial iot flows within 5g private networks. In Global Information Infrastructure and Networking Symposium (GIIS), pages 1–6.
Ahmadi, S. (2024). Systematic literature review on cloud computing security: Threats and mitigation strategies. Journal of Information Security, 15:148–167.
Amami, R., Charfeddine, M., and Masmoudi, S. (2024). Exploration of open source siem tools and deployment of an appropriate wazuh-based solution for strengthening cyberdefense. In 10th International Conference on Control, Decision and Information Technologies (CoDIT), pages 1–7.
Chauhan, M. and Shiaeles, S. (2023). An analysis of cloud security frameworks, problems and proposed solutions. Network, 3(3):422–450.
Hydra (2023). Hydra tool documentation - vr. 9.6 - 2023. Available at: [link]. Accessed: Aug. 28, 2025.
Kumar, S., Rajlingam, A., and Gokila, B. (2023). Study analysis of cloud security challenges and issues in cloud computing technologies. Journal of Science, Computing and Engineering Research, 6(8):6–11.
Liu, Y., Da Silva, I., and Joshi, R. (2019). Modeling adversarial network traffic with stochastic arrival processes. Computer Networks.
López Velásquez, J., Martínez Monterrubio, S., Sánchez Crespo, L., et al. (2023). Systematic review of siem technology: Siem-sc birth. International Journal of Information Security, 22:691–711.
Moiz, S., Majid, A., Basit, A., Ebrahim, M., Abro, A. A., and Naeem, M. (2024). Security and threat detection through cloud-based wazuh deployment. In IEEE 1st Karachi Section Humanitarian Technology Conference (KHI-HTC), pages 1–5.
Paxson, V. and Floyd, S. (1995). Wide-area traffic: The failure of poisson modeling. IEEE/ACM Transactions on Networking.
Rabbani, M., Gui, J., Nejati, F., Zhou, Z., Kaniyamattam, A., Mirani, M., Piya, G., Opushnyev, I., Lu, R., and Ghorbani, A. (2024). Device identification and anomaly detection in iot environments. IEEE Internet of Things Journal, 12(10):13625–13643.
Sheeraz, M., Durad, M. H., Paracha, M. A., Mohsin, S. M., Kazmi, S. N., and Maple, C. (2024). Revolutionizing siem security: An innovative correlation engine design for multi-layered attack detection. Sensors, 24(15):4901.
Singh, V. et al. (2023). Brutector: A probabilistic detection model for bruteforce attacks in ssh server. In 16th International Conference on Security of Information and Networks (SIN), pages 1–8.
Tuyishime, E., Balan, T. C., Cotfas, P. A., Cotfas, D. T., and Rekeraho, A. (2023). Enhancing cloud security—proactive threat monitoring and detection using a siem-based approach. Applied Sciences, 13(22):12359.
Yaker, K., Ait Salem, B., Pierard, B., AitSaadi, N., and Raynal, V. (2024). A novel edge siem for industrial iot flows within 5g private networks. In Global Information Infrastructure and Networking Symposium (GIIS), pages 1–6.
Publicado
25/05/2026
Como Citar
VALENTINI, Edivaldo Pastori; MATOS, Lilia Gomes de; NUNES, Gustavo A. Tuchlinowicz; RANZANI, Matheus Goulart; REBELO, Gabriel de Avelar Las Casas; MENEGUETTE, Rodolfo Ipolito; ESTRELLA, Júlio Cezar.
SIEM-as-a-Service for Private Clouds: Operational Characterization of aWazuh Deployment Under SSH Brute-Force Workloads. In: WORKSHOP DE TESTES E TOLERÂNCIA A FALHAS (WTF), 27. , 2026, Praia do Forte/BA.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 164-177.
ISSN 2595-2684.
DOI: https://doi.org/10.5753/wtf.2026.23067.
