Elastic Stack (SIEM)
Elasticsearch + Kibana is the core SIEM in Aithroyz. It ingests logs from Wazuh, Filebeat agents, and other sources, then lets you search, correlate, and alert on events.
Aithroyz deploys Elasticsearch 8.x with security enabled, Kibana pre-configured, and a `kibana_system` user set up automatically. Filebeat is installed on the gateway VM to forward system logs.
Access
URL:
https://elastic.<env-name>.ops.aithroyz.comPort: 443 (HTTPS via Caddy proxy)
Auth: Google SSO first, then Kibana native auth — credentials shown in the Environments detail page
What's pre-configured
Index lifecycle management (ILM)
Hot-warm-cold policy for logs with 30-day default retention
Kibana Security solution
Pre-built SIEM dashboards, detection rules, and case management
Filebeat integration
System logs from all VMs forwarded to Elasticsearch automatically
Wazuh integration
When Wazuh is also deployed, its alerts appear in the wazuh-alerts-* index
Demo data
Sample SOC events seeded on first startup for exploration and training
Connecting an external Filebeat agent
To ship logs from an external host (e.g. a Windows endpoint) to your Elastic instance:
# Install Filebeat on the remote host, then configure:
output.elasticsearch:
hosts: ["https://elastic.<env-name>.ops.aithroyz.com:9200"]
username: "elastic"
password: "<your-elastic-password>"
ssl.verification_mode: "none" # or provide the CA cert✓
The Elastic password is shown in the Environments detail page under the Credentials section. Click Reveal to view it.
Resource requirements
Elastic Stack runs on an e2-standard-2 (2 vCPU, 8 GB RAM) GCE instance. It requires at least 4 GB heap. For heavy log ingestion (millions of events/day), consider requesting a quota increase for larger instances.