How a financial services institution went from zero visibility to processing 270,000+ security events every 5 minutes across a fully monitored, backed-up, and secured infrastructure.
From zero visibility to full infrastructure monitoring
4 Proxmox nodes, 20+ VMs, 66+ workstations — but zero centralized logging, no security monitoring, and no disaster recovery. When an incident occurred, there was no way to investigate.
Real-time SIEM processing 270K+ events per 5 minutes, 35 monitoring dashboards, 28 daily automated backups, and full incident response capability — all in 4 weeks.
Enterprise-grade open source stack for log management, monitoring, and backup
Real problems encountered and solved during the deployment
Expanded storage to 500GB, added monitoring dashboards and log rotation policies to prevent future capacity issues.
Deployed syslog relay architecture through Windows VMs and Proxmox hosts to forward logs from isolated Linux systems.
Created GPO-based automated installation to deploy SIEM agents to 66+ domain-joined workstations without manual intervention.
Discovered Graylog 7.1 stream rules were broken. Built pipeline-based routing engine as a workaround — 7 rules, 1 pipeline, fully functional.
Complete infrastructure from logging to backup
Graylog 7.1.3 with 4 input listeners (GELF TCP/UDP, Syslog TCP/UDP), 15 data streams, and pipeline-based routing engine with 7 custom rules.
OpenSearch 2.15.0 cluster with 566K+ indexed events, green health status, and 500GB dedicated storage disk.
Grafana 11.2 with 35 operational dashboards — 20 infrastructure, 11 service, and 4 security dashboards.
Wazuh 4.14.5 deployed to 19 servers with automated alerting and file integrity monitoring.
GELF forwarders deployed to all Windows servers via PowerShell. Syslog relay architecture for network-isolated Linux VMs.
GPO-based SIEM agent deployment to 66+ domain-joined workstations — automated, no manual installs.
Proxmox Backup Server at 3.1TB with 28 automated daily backups, retention policies, and tested disaster recovery.
Forensic investigation and reporting for unauthorized file deletion — files recovered from backup. Reports in English and Arabic.
Measurable outcomes in 4 weeks
SIEM, SOC, monitoring, backup — I build security infrastructure that actually works. Let's discuss your project.