Infrastructure Layout
Overview
The SOC SIEM cluster is distributed across 5 physical servers (Proxmox VE). Each server has an SSH alias siem-px1..siem-px5. Each hosts LXC containers (CTs) with dedicated CPU, RAM, and SSD. All servers and containers are in VLAN250 (10.250.0.0/24).
Node Layout
siem-px1 (10.250.0.2) — Wazuh Indexer Primary
Hardware: Intel Xeon Silver 4208, 32 cores, 62 GB RAM, ~426 GB SSD (rpool)
| CT ID | Service | CPU | RAM | SSD | IP | Role |
|---|---|---|---|---|---|---|
| 701 | wazuh-indexer | 8c | 24 GB | 250 GB | 10.250.0.10 | OpenSearch primary node |
| — | Reserve | 24c | 38 GB | ~176 GB | — | — |
siem-px2 (10.250.0.3) — Manager + Case Management
Hardware: Intel Xeon Silver 4210R, 20 cores, 62 GB RAM, ~412 GB SSD (rpool)
| CT ID | Service | CPU | RAM | SSD | IP | Role |
|---|---|---|---|---|---|---|
| 702 | wazuh-manager | 6c | 8 GB | 50 GB | 10.250.0.11 | Log collection, rules, correlation, integrations |
| 710 | thehive | 2c | 8 GB | 30 GB | 10.250.0.30 | Case management (TheHive 4.1.24) |
| 711 | cortex | 2c | 4 GB | 20 GB | 10.250.0.31 | Automated IoC analysis (Cortex 4.0.1) |
| — | Reserve | 10c | 42 GB | ~312 GB | — | — |
siem-px3 (10.250.0.4) — Dashboard + Indexer Replica 1
Hardware: Intel Xeon E-2334, 8 cores, 62 GB RAM, ~424 GB SSD (rpool)
| CT ID | Service | CPU | RAM | SSD | IP | Role |
|---|---|---|---|---|---|---|
| 703 | wazuh-dashboard | 1c | 2 GB | 10 GB | 10.250.0.12 | Wazuh web UI (stateless) |
| 704 | wazuh-indexer-r1 | 4c | 24 GB | 250 GB | 10.250.0.13 | OpenSearch replica 1 |
| — | Reserve | 3c | 36 GB | ~164 GB | — | — |
siem-px4 (10.250.0.5) — Threat Intel + SOAR
Hardware: Intel Xeon E-2334, 8 cores, 62 GB RAM, ~417 GB SSD (rpool)
| CT ID | Service | CPU | RAM | SSD | IP | Role |
|---|---|---|---|---|---|---|
| 706 | misp | 2c | 4 GB | 50 GB | 10.250.0.15 | Threat Intelligence (MISP 2.5.36) |
| 707 | crowdsec | 1c | 1 GB | 10 GB | 10.250.0.16 | CrowdSec LAPI + blocklist-mirror |
| 712 | shuffle | 1c | 4 GB | 20 GB | 10.250.0.32 | SOAR (Shuffle, currently idle) |
| — | Reserve | 4c | 53 GB | ~337 GB | — | — |
siem-px5 (10.250.0.6) — Indexer Replica 2 + Forensics
Hardware: Intel Xeon E-2334, 8 cores, 62 GB RAM, ~425 GB SSD (rpool)
| CT ID | Service | CPU | RAM | SSD | IP | Role |
|---|---|---|---|---|---|---|
| 705 | wazuh-indexer-r2 | 4c | 24 GB | 250 GB | 10.250.0.14 | OpenSearch replica 2 |
| 713 | velociraptor | 2c | 4 GB | 50 GB | 10.250.0.33 | DFIR (Velociraptor 0.76.2) |
| — | Reserve | 2c | 34 GB | ~125 GB | — | — |
Resource Summary
| Resource | Allocated to CTs | Total (5 nodes) | Reserve | % headroom |
|---|---|---|---|---|
| CPU cores | 33c | 76c | 43c | 57% |
| RAM | 107 GB | 310 GB | 203 GB | 65% |
| SSD (CT rootfs) | 960 GB | ~2.1 TB | ~1.1 TB | 54% |
| Containers | 11 | — | — | — |
Wazuh Indexer — 3-node cluster (OpenSearch)
| Node | CT ID | Host | Role | SSD | RAM |
|---|---|---|---|---|---|
| wazuh-indexer (primary) | 701 | siem-px1 | Master + Data | 250 GB | 24 GB |
| wazuh-indexer-r1 (replica) | 704 | siem-px3 | Data | 250 GB | 24 GB |
| wazuh-indexer-r2 (replica) | 705 | siem-px5 | Data | 250 GB | 24 GB |
Total cluster capacity: 750 GB SSD (~375 GB usable with 1 replica).
The 3-node cluster provides:
- Fault tolerance — any single node can fail without data loss
- Read scaling — queries can be served from any replica
- Split-brain protection — 3 nodes = proper quorum
Disk Layout (all nodes)
All 5 nodes use ZFS:
| Pool | Disks | Purpose |
|---|---|---|
rpool |
SSD (stripe or mirror depending on node) | Root FS, container rootfs, Docker volumes |
HDD datapool (warm tier for log rotation) — not yet created. Planned under TASK-092f (retention policy).
Additional Infrastructure
| Service | IP | Purpose |
|---|---|---|
| siem-qnap (QNAP NAS4CD21A) | 10.250.0.7 | SOC backups: NFS mount /mnt/qnap-soc on all 5 nodes. 2×2TB HDD RAID0, 3.1 TB. |
NFS mount is persistent via fstab (_netdev). Proxmox storage qnap-soc-backups visible on all cluster nodes for vzdump.
Last updated: 2026-04-16.