Implementasi Wazuh Custom Decoder dan Rules untuk Deteksi Insiden Keamanan pada Aplikasi berbasis Golang dalam Arsitektur Kubernetes

Indianto, Muhammad Bimatara (2026) Implementasi Wazuh Custom Decoder dan Rules untuk Deteksi Insiden Keamanan pada Aplikasi berbasis Golang dalam Arsitektur Kubernetes. Other thesis, Institut Teknologi Sepuluh Nopember.

[thumbnail of 5025221260-Undergraduate_Thesis.pdf] Text
5025221260-Undergraduate_Thesis.pdf - Accepted Version
Restricted to Repository staff only
Download (3MB) | Request a copy

Abstract

Transformasi menuju arsitektur cloud-native berbasis Kubernetes telah menjadi standar industri dalam pengembangan aplikasi modern belakangan ini. Namun, mekanisme logging bawaan pada Kubernetes memiliki keterbatasan karena data yang dihasilkan bersifat tersebar, dan tidak terstruktur, sehingga menyulitkan proses identifikasi pola serangan siber secara otomatis. Penggunaan Security Information and Event Management (SIEM) seperti Wazuh menjadi solusi alternatif, namun konfigurasi standar seringkali gagal melakukan parsing log pada aplikasi spesifik sehingga deteksi ancaman menjadi tidak efektif. Penelitian ini merancang pipeline deteksi insiden menggunakan Fluent Bit sebagai log collector dan Wazuh Custom Decoder untuk menormalisasi log aplikasi Golang menjadi field terstruktur. Berdasarkan data tersebut, Custom Rules diterapkan untuk mendeteksi ancaman serangan siber seperti SQLi, XSS, LFI, hingga anomali perilaku Web Enumeration dan IDOR. Hasil penelitian menunjukkan sistem ini mampu mendeteksi seluruh skenario serangan secara akurat dengan rata-rata jeda waktu deteksi sekitar 2,2 detik. Namun, pengujian performa menunjukkan adanya penurunan kinerja sistem. Penggunaan fitur log collector hanya menurunkan kapasitas pemrosesan secara minim, yakni sebesar 4,86 request/s dari kondisi awal (baseline). Sebaliknya, pengaktifan seluruh fitur deteksi keamanan beserta pengiriman notifikasi (Skenario S3) menurunkan kapasitas pemrosesan secara tajam sebesar 42,35 request/s dibandingkan kondisi awal. Penelitian ini menyimpulkan bahwa arsitektur SIEM terpusat memberikan visibilitas keamanan komprehensif, namun memerlukan strategi alokasi sumber daya yang tepat untuk menjaga stabilitas kinerja pada lingkungan produksi.
=================================================================================================================================
The transformation towards Kubernetes-based cloud-native architecture has recently become an industry standard in modern application development. However, the default logging mechanism in Kubernetes has limitations, as the generated data is distributed and unstructured, making it difficult to automatically identify cyber attack patterns. The use of Security Information and Event Management (SIEM) systems such as Wazuh serves as an alternative solution, yet standard configurations often fail to parse logs from specific applications, rendering threat detection ineffective. This research designs an incident detection pipeline using Fluent Bit as a log collector and Wazuh Custom Decoders to normalize Golang application logs into structured fields. Based on these data, Custom Rules are applied to detect cyber threats such as SQLi, XSS, LFI, and behavioral anomalies including Web Enumeration and IDOR. The results indicate that this implementation accurately detects all attack scenarios with an average detection latency of 2.2 seconds. Nevertheless, performance testing reveals a significant trade-off: while the logging pipeline integration (S1) introduces a throughput overhead of 4.8%, the full activation of security detection features (S2) reduces application throughput by up to 42% compared to the baseline condition. This study concludes that although a centralized SIEM architecture provides comprehensive security visibility, it requires proper resource allocation strategies to maintain performance stability in production environments.

Item Type: Thesis (Other)
Uncontrolled Keywords: Custom Decoder, Custom Rules, Fluent Bit, Golang, Kubernetes, Wazuh
Subjects: Q Science > QA Mathematics > QA76.9.A25 Computer security. Digital forensic. Data encryption (Computer science)
T Technology > T Technology (General) > T58.5 Information technology. IT--Auditing
Divisions: Faculty of Intelligent Electrical and Informatics Technology (ELECTICS) > Informatics Engineering > 55201-(S1) Undergraduate Thesis
Depositing User: Muhammad Bimatara Indianto
Date Deposited: 12 Jun 2026 06:14
Last Modified: 12 Jun 2026 06:14
URI: http://repository.its.ac.id/id/eprint/133742

Actions (login required)

View Item View Item