It's not exactly the surprise of the century that running your own services, let alone a security platform, requires maintenance.

What was it specifically that made it a "maint burden of the first order?"

I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.

I have built from ground up 2 SIEMS.

I used their docker based installation. Upgraded it a couple of times, takes me 1h each time (mostly because I am more of a PHB and not a devops)

Never had a single issue with indexes, though we only ingest 500k+ events per day for ~endpoints.

Don’t use email but notifications by Slack. Never had it fail in one year.

Honestly, I almost feel bad for the amount of value I’m getting for free. So I’m happy to give back: made an integration that recovers all Google Workdspace events (https://github.com/avanwouwe/wazuh-gworkspace) if anyone’s using Wazuh? I also plan on publishing my Chrome extension integration (behavioral analysis and malware and shadow it detection) in a couple of days!

I have run it for a while and I have yet to successfully upgrade it a single time. I always just end up rebuilding the server to get a new version.

Did you think it was set and forget? There is a reason companies have entire SOC teams only looking at EDR and SIEM.

What SIEM did you move to that was less of a burden?

I know of no similar package that isn't agent based, at least when it comes to endpoints. I'd be happy to hear an alternative, though.

Why was it a burden?

There is an agentless option that just requires ssh access. Not something I’d prefer from a security point of view, but it’s possible.

Agent based is not really a big burden, most monitoring systems work like this (Prometheus). Companys use Ansible etc.

Prometheus is not agent based though