The Starting Point A Fedora 43 VPS on Hetzner. Caddy serving a static site over HTTPS. SSH open on port 22 with public key auth. No fail2ban, SELinux in permissive mode, no automatic updates. Good enough to serve a static site. Not good enough to leave alone. How Much Noise Is There on Port 22? The server had been up for 16 days. Before touching anything, I pulled the last 24 hours to get a sense of the baseline noise: ...
The Problem The Splunk Universal Forwarder requires glibc. If your log source is running Alpine Linux, a minimal container, an embedded device, or an IoT gateway, you’re out of luck — those environments use musl libc, and the two are binary-incompatible. In my home SOC lab I hit this exact wall. The perimeter firewall VM runs Alpine Linux (chosen for its small footprint and scriptability), and it’s running Suricata generating EVE JSON on the lab-facing interface. I needed that data in Splunk, and the UF wasn’t an option. ...
Why rsyslog to Wazuh? Wazuh normally collects logs through its own agent, but there are situations where syslog forwarding makes more sense: The host can’t run the Wazuh agent (embedded systems, appliances, immutable OSes) You want visibility fast without deploying an agent You’re forwarding from network devices that only speak syslog You need a lightweight option for lab or training environments To prevent log tampering rsyslog gives you a quick path to centralized log collection with minimal footprint on the client. ...