Back to Home
Case Study

Enterprise SIEM
Infrastructure Deployment

How a financial services institution went from zero visibility to processing 270,000+ security events every 5 minutes across a fully monitored, backed-up, and secured infrastructure.

Client
Skybag Egypt — Courier Service
Duration
June 2026 (4 weeks)
Hours
97 Delivered
270K+ Events / 5 Min
566K+ Events Indexed
35 Dashboards
28 Daily Backups
15 Applications
Before & After

The Transformation

From zero visibility to full infrastructure monitoring

The Challenge

4 Proxmox nodes, 20+ VMs, 66+ workstations — but zero centralized logging, no security monitoring, and no disaster recovery. When an incident occurred, there was no way to investigate.

The Result

Real-time SIEM processing 270K+ events per 5 minutes, 35 monitoring dashboards, 28 daily automated backups, and full incident response capability — all in 4 weeks.

Technology Stack

Tools Deployed

Enterprise-grade open source stack for log management, monitoring, and backup

Graylog v7.1.3 Log Management
OpenSearch v2.15.0 Search & Index
Grafana v11.2 Dashboards
Wazuh v4.14.5 EDR & FIM
InfluxDB v2.7 Time-Series
Proxmox Backup 3.1TB Disaster Recovery
Problem Solving

Challenges Solved

Real problems encountered and solved during the deployment

Graylog Disk Full

Expanded storage to 500GB, added monitoring dashboards and log rotation policies to prevent future capacity issues.

Network-Isolated VMs

Deployed syslog relay architecture through Windows VMs and Proxmox hosts to forward logs from isolated Linux systems.

Workstation Deployment

Created GPO-based automated installation to deploy SIEM agents to 66+ domain-joined workstations without manual intervention.

Stream Routing

Discovered Graylog 7.1 stream rules were broken. Built pipeline-based routing engine as a workaround — 7 rules, 1 pipeline, fully functional.

Deliverables

What Was Built

Complete infrastructure from logging to backup

Central Log Management

Graylog 7.1.3 with 4 input listeners (GELF TCP/UDP, Syslog TCP/UDP), 15 data streams, and pipeline-based routing engine with 7 custom rules.

Log Storage & Indexing

OpenSearch 2.15.0 cluster with 566K+ indexed events, green health status, and 500GB dedicated storage disk.

Monitoring Dashboards

Grafana 11.2 with 35 operational dashboards — 20 infrastructure, 11 service, and 4 security dashboards.

EDR & FIM

Wazuh 4.14.5 deployed to 19 servers with automated alerting and file integrity monitoring.

Data Pipeline

GELF forwarders deployed to all Windows servers via PowerShell. Syslog relay architecture for network-isolated Linux VMs.

Active Directory Integration

GPO-based SIEM agent deployment to 66+ domain-joined workstations — automated, no manual installs.

Backup & DR

Proxmox Backup Server at 3.1TB with 28 automated daily backups, retention policies, and tested disaster recovery.

Incident Response

Forensic investigation and reporting for unauthorized file deletion — files recovered from backup. Reports in English and Arabic.

Outcomes

Results Delivered

Measurable outcomes in 4 weeks

270K+
Events processed every 5 minutes across the entire infrastructure
566K+
Events indexed and searchable in OpenSearch
35
Grafana dashboards providing real-time visibility
28
Automated daily backups with verified disaster recovery
Zero
Corrupted blocks in PBS backup verification
1
Incident successfully investigated with forensic reports

Need a Similar Deployment?

SIEM, SOC, monitoring, backup — I build security infrastructure that actually works. Let's discuss your project.

Book Free Assessment Back to Home