Splunk 是SIEM领域的霸主,但其定价模型堪称"恐怖"——按每日数据摄入量(GB/天)计费,500GB/天的环境年费轻松突破 $100,000。Wazuh(开源XDR/SIEM)+ Graylog(日志管理)的组合可以完全替代Splunk的核心功能,而且零成本。
定价对比
| 项目 | Splunk Enterprise | Splunk Cloud | Wazuh + Graylog |
|---|---|---|---|
| 年费 | $75-150/GB/天 | $65-100/GB/天 | 免费 |
| 日志摄入量 | 500GB/天=$100K+ | 按量计费 | 无限制 |
| 入侵检测 | 需加购UBA | 需加购UBA | 内置 |
| 合规报告 | Splunk ES | Splunk ES | 内置PCI-DSS/HIPAA |
| 威胁情报 | 需加购 | 需加购 | 内置 |
| 端点防护 | 需第三方 | 需第三方 | Wazuh Agent |
| 漏洞管理 | 基础 | 基础 | 内置 |
Wazuh 是一个完整的安全平台,集SIEM、XDR、漏洞管理、合规审计于一体。Graylog 专注于高性能日志聚合和搜索。两者结合覆盖Splunk+ES 90%的功能。
架构设计
[Endpoints] [Network] [Cloud]
Wazuh Agent Syslog/WEC API Collectors
| | |
v v v
+------------------------------------------+
| Wazuh Manager (单机/集群) |
| - decoders - rules - alerts |
| - Filebeat → OpenSearch |
+------------------------------------------+
| |
v v
+--------------+ +---------------+
| OpenSearch | | Graylog |
| (存储/搜索) | | (聚合/告警) |
+--------------+ +---------------+
| |
v v
+---------------------------+
| Wazuh Dashboard (Kibana) |
+---------------------------+
完整安装(单机All-in-One)
系统要求
- CPU: 8核+
- RAM: 16GB+(推荐32GB)
- 磁盘: 200GB+ SSD
- OS: Ubuntu 22.04 LTS / RHEL 8+
安装 Wazuh 4.8
# Wazuh 提供一键安装脚本
curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh
chmod +x wazuh-install.sh
# 单节点部署(包含Wazuh Manager + Indexer + Dashboard)
sudo bash wazuh-install.sh -a
# 安装完成后:
# Wazuh Dashboard: https://localhost:443
# 默认账号: admin / 首次安装时生成的密码
# 查看密码: tar -axf wazuh-install-files.tar wazuh-install-files/wazuh_passwords.txt -O | grep -P "'admin'"
手动安装(分组件)
# 1. 添加Wazuh GPG Key和仓库
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor > /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
apt update
# 2. 安装Wazuh Manager
apt install -y wazuh-manager
systemctl enable --now wazuh-manager
# 3. 安装Wazuh Indexer (OpenSearch分支)
apt install -y wazuh-indexer
# 索引器配置 /etc/wazuh-indexer/opensearch.yml
cat > /etc/wazuh-indexer/opensearch.yml << 'EOF'
network.host: "0.0.0.0"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
EOF
# 生成证书
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
systemctl enable --now wazuh-indexer
# 4. 安装Filebeat(Manager → Indexer数据管道)
apt install -y filebeat
cat > /etc/filebeat/filebeat.yml << 'EOF'
output.elasticsearch:
hosts: ["localhost:9200"]
protocol: https
username: "admin"
password: "admin_password"
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: /etc/filebeat/certs/filebeat.pem
ssl.key: /etc/filebeat/certs/filebeat-key.pem
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.overwrite: true
EOF
systemctl enable --now filebeat
# 5. 安装Wazuh Dashboard
apt install -y wazuh-dashboard
cat > /etc/wazuh-dashboard/opensearch_dashboards.yml << 'EOF'
server.host: "0.0.0.0"
server.port: 443
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: certificate
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver_password"
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
EOF
systemctl enable --now wazuh-dashboard
Agent 部署
Linux Agent
# 从Dashboard生成Agent安装包,或手动安装
WAZUH_MANAGER="192.168.1.100"
apt install -y wazuh-agent
sed -i "s/MANAGER_IP/$WAZUH_MANAGER/" /etc/ossec/ossec.conf
# 或使用一键安装脚本
WAZUH_MANAGER="$WAZUH_MANAGER" apt install -y wazuh-agent
systemctl enable --now wazuh-agent
Windows Agent(PowerShell)
# 下载安装包
Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.8.0-1.msi" -OutFile "C:\wazuh-agent.msi"
# 安装
msiexec.exe /i C:\wazuh-agent.msi WAZUH_MANAGER="192.168.1.100" WAZUH_AGENT_GROUP="windows" /q
# 启动服务
NET START WazuhSvc
macOS Agent
curl -sO https://packages.wazuh.com/4.x/macos/wazuh-agent-4.8.0-1.pkg
sudo installer -pkg wazuh-agent-4.8.0-1.pkg -target /
sudo /Library/Ossec/bin/wazuh-control start
Wazuh 规则配置
自定义检测规则
<!-- /var/ossec/etc/rules/local_rules.xml -->
<group name="local,syslog,">
<!-- 检测SSH暴力破解 -->
<rule id="100001" level="10" frequency="5" timeframe="60">
<if_matched_sid>5716</if_matched_sid>
<description>SSH brute force attack detected</description>
<group>authentication_failures,</group>
</rule>
<!-- 检测异常文件修改 -->
<rule id="100002" level="12">
<if_sid>550</if_sid>
<match>/etc/passwd|/etc/shadow|/etc/sudoers</match>
<description>Critical system file modified</description>
<group>file_integrity,</group>
</rule>
<!-- 检测可疑进程 -->
<rule id="100003" level="12">
<if_sid>592</if_sid>
<match>nc -e|/bin/sh|/bin/bash|mkfifo|ncat</match>
<description>Reverse shell detected</description>
<group>process_execution,</group>
</rule>
</group>
File Integrity Monitoring (FIM) 配置
<!-- /var/ossec/ossec.conf -->
<syscheck>
<frequency>3600</frequency>
<!-- 监控关键目录 -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" check_all="yes">/home</directories>
<!-- 忽略频繁变化的文件 -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Windows注册表监控 -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
</syscheck>
漏洞检测配置
<!-- 启用漏洞检测模块 -->
<wodle name="vulnerability-detector">
<disabled>no</disabled>
<interval>1d</interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<disabled>no</disabled>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<disabled>no</disabled>
<update_interval>1h</update_interval>
</provider>
</wodle>
Graylog 部署(补充日志管理)
# 安装MongoDB(Graylog依赖)
apt install -y mongodb-org
systemctl enable --now mongod
# 安装Graylog
wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
dpkg -i graylog-5.2-repository_latest.deb
apt update && apt install -y graylog-server
# 配置 /etc/graylog/server/server.conf
# 生成password_secret和root_password_sha2
SECRET=$(pwgen -N 1 -s 96)
PASS_HASH=$(echo -n "admin123" | sha256sum | awk '{print $1}')
cat > /etc/graylog/server/server.conf << EOF
is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = $SECRET
root_username = admin
root_password_sha2 = $PASS_HASH
root_timezone = Asia/Shanghai
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://localhost:9200
mongodb_uri = mongodb://localhost/graylog
EOF
systemctl enable --now graylog-server
# 访问 http://localhost:9000
Graylog接收Syslog
# 在Graylog Web UI中:
# 1. System → Inputs → Select Input → Syslog TCP/UDP
# 2. 端口514(或5514)
# 3. 在设备上配置日志转发
# 设备 → Syslog指向Graylog IP:514
实战案例:检测APT攻击链
场景:多阶段攻击检测
<!-- 检测横向移动:Pass-the-Hash -->
<rule id="100010" level="12">
<if_sid>18105</if_sid>
<field name="win.system.eventID">^4624$</field>
<field name="win.eventdata.logonType">^3$</field>
<field name="win.eventdata.authenticationPackageName">^NTLM$</field>
<description>Possible Pass-the-Hash: NTLM network logon</description>
<group>windows,authentication,</group>
</rule>
<!-- 检测PowerShell恶意命令 -->
<rule id="100011" level="12">
<if_sid>18106</if_sid>
<field name="win.eventdata.scriptBlockText">Invoke-Expression|IEX|DownloadString|EncodedCommand|bypass|hidden</field>
<description>Suspicious PowerShell command detected</description>
<group>windows,powershell,</group>
</rule>
<!-- 检测数据外传 -->
<rule id="100012" level="10">
<if_sid>1002</if_sid>
<match>DNS query to suspicious domain</match>
<description>Possible data exfiltration via DNS</description>
<group>network,exfiltration,</group>
</rule>
自动化响应(Active Response)
<!-- /var/ossec/ossec.conf -->
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100001</rules_id>
<timeout>3600</timeout>
</active-response>
<!-- 自定义封禁脚本 -->
<command>
<name>block-attacker</name>
<executable>block-attacker.sh</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
#!/bin/bash
# /var/ossec/active-response/bin/block-attacker.sh
ACTION=$1
USER=$2
SRC_IP=$3
if [ "$ACTION" = "add" ]; then
iptables -A INPUT -s "$SRC_IP" -j DROP
echo "$(date): Blocked $SRC_IP" >> /var/ossec/logs/active-responses.log
elif [ "$ACTION" = "delete" ]; then
iptables -D INPUT -s "$SRC_IP" -j DROP
echo "$(date): Unblocked $SRC_IP" >> /var/ossec/logs/active-responses.log
fi
对比表
| 功能 | Splunk ES | Wazuh | Graylog |
|---|---|---|---|
| 日志收集 | 优秀 | 优秀 | 优秀 |
| 实时告警 | 优秀 | 优秀 | 良好 |
| 入侵检测 | 需UBA | 内置 | 需插件 |
| FIM | 需插件 | 内置 | 需插件 |
| 漏洞管理 | 基础 | 内置 | 无 |
| 合规报告 | PCI/HIPAA/SOX | PCI/HIPAA/GDPR | 基础 |
| 端点防护 | 无 | Agent | 无 |
| 威胁情报 | 需加购 | 内置 | 插件 |
| 主动响应 | 有限 | 内置 | 无 |
| 查询语言 | SPL | Wazuh API | Lucene |
| 价格 | $100K+/年 | 免费 | 免费 |
常见问题
Q: Wazuh能处理多大数据量? A: 单节点Wazuh Manager + OpenSearch可以处理每天50-100GB的日志。更大的规模需要集群部署。
Q: Wazuh Agent对端点性能影响大吗? A: Agent通常占用50-100MB内存,CPU使用率<2%。FIM实时监控会增加少量磁盘IO。
Q: 能否同时使用Wazuh和Graylog? A: 推荐这样做。Wazuh负责安全分析和告警,Graylog负责日志聚合和长期存储。两者互不冲突。
把每年 $100K 的Splunk预算省下来,招一个靠谱的安全工程师,效果比任何商业SIEM都好。安全的核心是人,不是工具。
评论