Case Study

Running Bivoxy in Production with Five Connected Security Devices

This page summarizes a real Bivoxy deployment using only measurable details across licensing, device connectivity, log collection, and operations.

Deployment scope

The production deployment includes five connected security devices. It collects telemetry from FortiGate, Wazuh, and syslog sources while managing license entitlement, device onboarding, and reporting through the same operational flow.

Operational objective

The goal is not raw log accumulation but context across devices. VPN sessions, firewall actions, and host signals are evaluated through the same analysis chain.

Architecture diagram

FortiGate sources -> Reliable Syslog/TLS -> Bivoxy ingest
Wazuh sources     -> Agent/manager telemetry -> Bivoxy normalize
Syslog sources    -> TCP syslog -> Bivoxy parser

Bivoxy pipeline:
ingest -> normalization -> enrichment -> scenario detection -> reporting

Anonymized log example

date=2026-07-15 time=09:22:31 devname=FGT-PROD-01 srcip=198.51.100.24 dstip=10.10.4.20 action=deny service=SSLVPN user=anon.user policyid=42
normalized.source.ip=198.51.100.24 normalized.action=deny normalized.event.category=vpn normalized.device.type=fortigate

Daily EPS and detection scenarios

In this deployment, daily event rate changes by device and working pattern; the observed production range is approximately 15-80 EPS. Detection scenarios include VPN brute-force, new IPsec endpoint detection, risky country context, admin login anomaly, and FortiGate policy deny spikes.

Setup time

For a five-source production setup, validating the first log flow and seeing the initial dashboards can be completed within the same day. Parser adjustments, custom alarm rules, and reporting agreements are finalized according to the organization’s needs.

Screenshots and architecture

Screenshots used in the case study are published with customer names, public IPs, and user identifiers anonymized. The dashboard view shows activity summary, VPN sessions, active events, and device filtering in the same interface.

[FortiGate #1-#3] -- TLS Syslog --> [Bivoxy ingest]
[Wazuh manager]  -- events -----> [Bivoxy normalize]
[Generic syslog] -- TCP -------> [Bivoxy parser]

Normalize -> Enrich -> Detect -> Notify -> Report

Case Study

Five-device production snapshot

Connected devices

5

Data sources

FortiGate + Wazuh + Syslog

License model

License-based

Production deployment with five connected security devices, including FortiGate and Wazuh data sources. Devices are managed under a license-based model, and collection, normalization, and reporting run through the same workflow.

FAQ

Are the details on this page a demo?

No. This summary describes the five-device live deployment model using measurable details.

Running Bivoxy in Production with Five Connected Security Devices | Bivoxy