Documentation Index
Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt
Use this file to discover all available pages before exploring further.
Xloud-Developed — Xloud SIEM is the integrated Security Information and Event Management layer built into the Xloud Platform. It stitches together Wazuh, Lynis, and OpenSCAP into a single dashboard surface and correlates findings against your actual cluster inventory.
What is Xloud SIEM?
Xloud SIEM is the integrated security operations layer on the Xloud Platform. It runs three independent scanners in parallel — Wazuh for host intrusion detection, Lynis for OS-level auditing, and OpenSCAP for CIS / STIG compliance — and surfaces the combined results in two Dashboard views:- Security Posture — a single pane for agent inventory, vulnerabilities, alerts, compliance scores, encryption status, and microsegmentation.
- Alerts — active security and infrastructure alerts with rules, history, and silences.
Wazuh (HIDS)
Host intrusion detection, file integrity, vulnerability assessment, and rule-based
threat correlation across every VM.
Lynis
300+ on-host security audits with a hardening index score per node and prioritized
remediation guidance.
OpenSCAP
SCAP-based compliance scanning — CIS Benchmarks, DISA STIGs, PCI-DSS, HIPAA, ANSSI
profiles with pass/fail reports.
Prerequisites — Xloud SIEM requires Wazuh to be enabled on the cluster
(XDeploy → Security → HIDS). When Wazuh is disabled, Monitor Center → Security Posture
shows an empty state asking you to enable it.
Video Walkthrough
The Two Dashboard Views
Everything Xloud SIEM exposes in the Dashboard lives in Monitor Center (admin view only):| Page | What it shows |
|---|---|
| Security Posture | Agent fleet, live alerts, CIS compliance %, vulnerability CVEs, volume encryption status, security-group risk scoring, and cluster health — all in 8 tabs |
| Alerts | Active Alerts, Alert Rules, History, and Silences — unified for both infrastructure (Prometheus) and security (Wazuh) sources |
Security Posture — 8 Tabs
The Security Posture page is the headline view for Xloud SIEM. Every tab aggregates data across the cluster and links back to raw Wazuh, Lynis, or OpenSCAP output.1. Overview
1. Overview
Four top cards show Active Agents (active/total), Cluster Nodes with manager
version, CIS Compliance as a single %, and Manager type. Below that: per-agent
SCA chart, multi-layer compliance bar chart (Lynis vs OpenSCAP vs Wazuh SCA), and two
stacked progress views for Lynis Hardening Index and OpenSCAP CIS Score per node.
2. Agents
2. Agents
Table of every deployed Wazuh agent with ID, Name, IP, Status (active, disconnected,
pending, never connected), OS, Version, SCA score %, Groups, and Last Seen timestamp.
Filterable by Name and Status.
3. Alerts
3. Alerts
Live stream of Wazuh alerts filtered by time window (1h / 6h / 24h / 3d / 7d) and
minimum severity (All 3+ / Medium 5+ / High 8+ / Critical 12+). Columns: Time,
Severity tag, Rule ID, Description, Agent, Source IP.
4. Compliance
4. Compliance
Per-node matrix combining Lynis Score (out of 100), Warnings, Suggestions,
OpenSCAP %, pass/fail counts, and Wazuh SCA %. Click Why? on any row to
open a modal listing the exact Lynis findings — warnings and suggestions with test
IDs and remediation text.
5. Encryption
5. Encryption
Lists every instance with encryption status — Encrypted (all volumes), Unencrypted,
or No volumes. Shows each attached volume with its encryption flag and size, so you
can spot mixed-state VMs immediately.
6. Microsegmentation
6. Microsegmentation
Four sub-tabs for the micro-segmentation view:
- Security Groups — every project security group with rule count, ingress / egress counts, a risk score (0-100) with color bar, risk level tag, Wide-Open flag, and suggested fixes.
- Flow Map — allowed VM-to-VM flows listing Source VM, Destination VM, Protocol, Ports, and Via Security Group.
- VM Mapping — each instance with its Status, Host, IPs, attached Security Groups, and Tags.
- Tag Groups — resources clustered by tag, showing Resource Type, Tag, Count, and up to 5 example resources per group.
7. Vulnerabilities
7. Vulnerabilities
Six counter cards (Total CVEs, Critical, High, Medium, Low, Solved) plus a severity
donut and a “Vulnerabilities by Agent” bar chart. Searchable CVE table with columns:
CVE, Severity, Package, Version, Agent, Status, Description.
8. Cluster
8. Cluster
Wazuh cluster topology — Cluster Status, Manager version, Cluster Nodes (master vs
worker count), and Total Agents. Two donut charts break down node types and agent
status. Bottom table lists each cluster node with Name, Type, Version, IP, and Status.
Alerts — Unified Security and Infrastructure View
The Alerts page (Monitor Center → Alerts) consolidates every alert into one interface, regardless of source:| Tab | Purpose |
|---|---|
| Active Alerts | Currently firing alerts with a Security tag (Wazuh-sourced) or Infrastructure tag (Prometheus-sourced), severity (critical / warning / info), and context |
| Alert Rules | View and edit the rules driving each alert — thresholds, evaluation intervals, notification channels |
| History | Historical alert timeline for audit, incident reviews, and trend analysis |
| Silences | Active silences that suppress noisy alerts during maintenance windows |
Wazuh-detected threats and infrastructure metric alerts (Prometheus) land in the same
table, so operators get a single place to triage events — no tool switching.
For Users
Most Xloud users interact with Xloud SIEM indirectly — their VMs are scanned automatically by the platform’s security suite. If you are a non-admin user:See what's scanned on your VMs
Ask your administrator for a Security Posture export. Every VM’s compliance score,
encryption status, and live alerts are captured in the report.
For Administrators
Xloud SIEM is designed to work out of the box once Wazuh is enabled at deploy time. Typical admin workflows:Enable Xloud SIEM at deploy time
In XDeploy → Configuration → Monitoring & Logging, toggle Enable Security Suite.
The suite activates Wazuh (HIDS), Lynis (auditing), and OpenSCAP (compliance) on every
cluster node.
Deploy agents to tenant VMs
Use the bundled
xavs-ansible role to mass-deploy Wazuh agents across projects. See
the Wazuh page for the exact command and options.Review Security Posture daily
Open Monitor Center → Security Posture, review the Overview tab for trend
changes, and drill into any node with falling compliance scores using the Why?
link in the Compliance tab.
Triage alerts in real time
Use Monitor Center → Alerts → Active Alerts. The Security tag isolates
Wazuh-originated threats from infrastructure noise.
How the Three Scanners Differ
Each scanner attacks a different attack surface — they are complementary, not redundant.| Capability | Wazuh | Lynis | OpenSCAP |
|---|---|---|---|
| Agent-based live monitoring | Yes | — | — |
| On-host audit script | — | Yes | Yes |
| Real-time alerts | Yes | — | — |
| File integrity monitoring | Yes | — | — |
| CVE / vulnerability scanning | Yes | — | — |
| Hardening index score | Partial | Yes | — |
| CIS Benchmark profiles | Yes | Partial | Yes |
| DISA STIG / PCI-DSS profiles | — | — | Yes |
| MITRE ATT&CK mapping | Yes | — | — |
| XML / HTML compliance reports | — | — | Yes |
Tool Deep-Dives
Wazuh
Architecture, agent deployment via Ansible or manual steps, detection rules, File
Integrity Monitoring configuration, and the Wazuh Dashboard.
Lynis
How the script runs, score interpretation, warnings vs suggestions, per-node and
fleet-wide sweeps, and remediation workflows.
OpenSCAP
Available profiles (CIS L1 / L2, PCI-DSS, HIPAA, ANSSI, STIG), how to run a scan,
reading the XML/HTML reports, and applying the remediation playbooks.
Common Tasks
Check cluster-wide CIS compliance in 30 seconds
Check cluster-wide CIS compliance in 30 seconds
Open Monitor Center → Security Posture → Overview. The top-row CIS Compliance
card shows the cluster-wide average across all scanned agents.
Find out why one node's compliance score dropped
Find out why one node's compliance score dropped
In the Compliance tab, locate the node and click Why? next to its row. A modal
lists every Lynis warning and suggestion with test IDs and remediation text.
Spot unencrypted volumes across the fleet
Spot unencrypted volumes across the fleet
Open the Encryption tab. Any instance tagged Unencrypted has at least one
volume without encryption enabled.
Find high-risk security groups
Find high-risk security groups
Open the Microsegmentation → Security Groups tab. Sort by Risk Score descending.
Groups tagged Wide-Open are the most urgent to review.
Export a snapshot for audit
Export a snapshot for audit
Click Export Report on any Security Posture tab. The download is a timestamped CSV
with agent, compliance, and vulnerability data for the entire cluster.
Investigate a live Wazuh alert
Investigate a live Wazuh alert
In Security Posture → Alerts, expand the row to see the rule description and source
IP. Click Wazuh Dashboard in the top-right to jump to the native UI for deeper
forensic queries.
Next Steps
Wazuh Deep Dive
Architecture, agent deployment, ruleset, File Integrity Monitoring
Lynis Deep Dive
Run audits, interpret the hardening index, fleet sweeps
OpenSCAP Deep Dive
Compliance profiles, scan commands, report formats, remediation
Compliance and Auditing
SOC 2, ISO 27001, HIPAA, PCI-DSS, GDPR frameworks at the platform level