Security
Education/Non Profit

3 people, 64 billion events: How Vrije Universiteit Brussel rebuilt security operations on Elastic

  • 64B
    Events indexed across VUB's on-premises Elastic deployment
  • 315
    Elastic Agents deployed across Windows and Linux servers university-wid
  • 31
    Logstash data feeds unifying network, firewall, DNS, VPN, and server logs in one place
  • 3
    Engineers currently running SIEM operations day to day
  • 3 mos → 1+ yr
    Target data retention baseline under VUB's new tiered storage strategy

Vrije Universiteit Brussel (VUB) runs a fully on-premises Elastic deployment across 33 servers and more than 300 endpoints. It is moving from a stalled, three-person SIEM to an AI-assisted security operations model built on Elastic Security, the same platform extending into Elastic Observability for HPC and application monitoring.

Summary

Vrije Universiteit Brussel is a public research university where academic freedom results in a highly decentralized estate. It features thousands of researchers running their own systems, sensitive research, personal data, and a three-person central security function. VUB consolidated logs from firewalls, proxies, DNS, VPN, authentication, and Windows and Linux servers onto a self-managed Elastic deployment and then built detection and investigation on top of it. Today, three engineers operate detection and investigation across 64 billion events and 300+ servers, and a rogue device that once caused close to a full day of network instability would now be detected and located in minutes. That centralized visibility is the foundation for VUB's CyFUN and NIS2 compliance program.

Securing a decentralized campus with a very small team

Vrije Universiteit Brussel (VUB) runs on academic freedom, and that principle shapes its technology estate. Researchers install the systems they need, high-performance computing sits alongside everyday campus IT, and much of the environment is, by design, not centrally managed. The data on those systems is sensitive: research output, personal data, and information that falls squarely under NIS2.

Providing enterprise-grade detection and monitoring across an environment this decentralized, with a central three-person security function, is the core challenge VUB set out to solve. The pressure to solve it has grown. As a largely government-funded institution, VUB has had to absorb public budget constraints, which means using the resources it has more efficiently. At the same time, the CyFUN and NIS2 program coordinated by the Centre for Cybersecurity Belgium has made centralized security monitoring, detection, and incident response a regulatory requirement, not an aspiration.

"Academic freedom means our departments and research groups have the flexibility to operate their own systems and technologies. Our challenge is to provide consistent security visibility and detection across a highly diverse environment without limiting that flexibility. That's what makes our environment both challenging and rewarding to secure."

– Xavier Tomaszynski, Network Security ICT Consultant, Vrije Universiteit Brussel

From scattered syslog to a security platform

The team needed a central repository for logs from its Linux server estate to replace scattered syslog servers and facilitate troubleshooting and incident review. They began with the open source version of Elasticsearch as a small proof of concept, drawn to its fast search across large log volumes, its ingestion through Logstash, and purpose-built Beats such as Filebeat, Metricbeat, and Packetbeat. The platform was easy to understand, well documented, and supported by a strong open source community through blogs, forums, and webinars. Once teams could centralize their logs, the platform became vital to business operations, including high-performance computing, much sooner than anticipated.

Observability came first and security followed. In 2021, the team made a deliberate decision to build an actual security capability on the foundation they already had, rather than buy a separate product. Before Elastic, there was no real centralized logging or analysis at all: log files lived locally on individual servers, with no way to search or correlate across them. That made early incident detection and structured response difficult, and made demonstrating compliance harder.

Before: Investigations without a central source of truth

Before consolidating on Elastic, VUB's security and operational data was fragmented across the systems that produced it. Logs sat locally on individual servers. Correlating an event across the firewall, the proxy, DNS, and authentication meant pulling from separate places by hand, if the data had been kept at all. For a team this size, that fragmentation was the real constraint. The problem was not a lack of effort, but a lack of a single place to ask a question and get an answer across the whole environment.

The consequences were practical. Investigations were slow because context had to be assembled from scattered sources. Early detection of anomalies was limited, because no system had the whole picture. And demonstrating compliance, increasingly important under CyFUN and NIS2, was difficult without centralized, correlatable evidence.

Architecture: 1 platform, the whole campus

VUB runs Elastic fully on-premises, a deliberate choice for an environment with sensitive research and personal data. The deployment aggregates and normalizes data from across the campus: Palo Alto firewalls, F5 proxy servers, Infoblox DNS, Ivanti VPN, authentication systems, and both Windows and Linux servers. Logstash and Elastic Agent collect and normalize that data into a unified view, which is what turns a decentralized estate into something a single engineer can reason about.

Storage is managed deliberately rather than expanded freely. Because adding disk capacity is not always straightforward, the team uses index lifecycle management to balance data retention and storage capacity. Retention periods are tuned for each data source, allowing more feeds to be onboarded within the same footprint by shortening the lifespan of less critical data.

Technical highlights

  • The Elasticsearch cluster now has 15 total nodes, including 8 data nodes: 6 across the hot and warm tiers, and 2 new nodes forming the first frozen tier
  • 31 Logstash data feeds spanning network, F5, DNS, firewall, servers, and applications
  • 315 Elastic Agents deployed across Windows and Linux servers
  • 50 TB cluster capacity, with 20 TB to 30 TB in use
  • 64 billion events under management
  • 22 active policies ensuring consistent security configurations across the estate
  • 21 integrations unifying diverse data sources into a single source of truth
  • Three-month baseline retention, extended to one year for high-performance computing data
  • Index lifecycle management tuned for each data source to balance storage retention and capacity

What the platform makes possible

Centralized detection across network data

VUB's detection focus is network-centric, drawing on logs from F5, Palo Alto, DNS, VPN, and authentication alongside Windows and Linux servers. Centralizing these sources is what makes anomalies, misconfigurations, and potential incidents visible at all, where previously they would have stayed hidden inside isolated systems. The team relies extensively on Watchers, a long-standing alerting mechanism they find highly reliable, to surface issues such as misconfigurations, routing problems, and duplicate ARP requests, and increasingly complements them with Elastic Security detection rules wherever the necessary integrations and data feeds are in place. Custom dashboards displayed on a dedicated monitoring wall give the team an at-a-glance view of the environment.

Faster answers for teams beyond security

The same platform pays off in daily operations. The network team troubleshoots faster with centralized visibility across firewalls, proxies, DNS, and routing. With Elastic, the operations team gets the answers and context they need faster, reducing troubleshooting time.

Practical questions — why a user account is locked in Azure AD, why a web application is unreachable through F5, why the network is behaving a certain way — are answered in one place rather than chased across systems. Machine learning on DNS traffic surfaces anomalies and emerging issues earlier than the team could spot them manually.

Adoption across teams grew gradually, and grew fastest when the platform solved a concrete problem someone already had. Over time Elastic has increasingly become a shared source of truth across IT, networking, and operations.

"Elastic enables a very small team to operate security monitoring at university scale. The operational efficiency gained from centralized visibility is far more significant than any single investigation-time metric."

– Xavier Tomaszynski, Network Security ICT Consultant, Vrije Universiteit Brussel

A rogue DHCP server, found before the network went down

The value of centralized visibility and real-time detection became concrete the day a department connected a rogue DHCP server to the network. It triggered broadcast storms and caused network instability that lasted close to a full day. VUB's SIEM detected the anomaly immediately, identified exactly where the rogue server was connected, and sent an alert before parts of the monitoring environment became unstable. What could have been another day of manual hunting was instead a matter of minutes from detection to location.

The episode changed a habit as much as it solved a problem. The first reflex during an incident became a single question: What does the platform tell us? For a team operating at this ratio of people to systems, that shift, from assembling context by hand to starting from a central source of truth, is the operating-model change that matters most.

"The rogue DHCP server was detected almost immediately, and we could identify exactly where it was connected before the network instability spread further. Instead of spending valuable time manually tracing the source, we could immediately focus on resolving the issue. That experience reinforced the value of centralized visibility — today, our first step during an incident is to check what Elastic is telling us."

– Xavier Tomaszynski, Network Security ICT Consultant, Vrije Universiteit Brussel

Maintenance to mastery: Scaling understanding, not just data

VUB is candid that the journey has not been linear. In 2024, a major F5 migration consumed the team's capacity, and the security platform entered a period of maintenance: still running, still ingesting, but not improving. The lesson the team draws from that period is a sharp one. They had a platform, but they did not yet have security operations. Scaling data is not the same as scaling understanding.

That reframing now drives the roadmap. The team describes their evolution as moving from collecting and maintaining data toward understanding it; shifting from simply storing events to explaining what is happening in their environment.

Before and after


BeforeAfter
Alert managementAd hoc review; no central place to see or correlate alerts across systemsWatchers on network data surface issues automatically; alerts land in one place
Operational effortContext assembled by hand from logs scattered across individual serversQuestions answered from a single source of truth across IT, networking, and operations
Investigation flowSlow, because data had to be gathered from separate systems if it was kept at allFast search and correlation across 64 billion events from one platform
Institutional knowledgeLocked in individual systems and individual peopleA shared, centralized SIEM increasingly used as a source of truth across teams
Incident detectionLimited early detection; no system held the whole pictureAnomalies such as a rogue DHCP server detected and located in minutes
Compliance postureHard to demonstrate; no centralized, correlatable evidenceCentralized visibility underpins CyFUN and NIS2 compliance work

 

What comes next?

VUB upgraded to an Enterprise license to take the next steps and is approaching them with clear eyes about the tradeoffs. The priorities for 2026 center on turning a well-instrumented platform into mature security operations.

  • ECS normalization across all data feeds, so any event is understandable by anyone, detections are portable, and data is ready for AI-assisted analysis.
  • Tiered storage using frozen tiers to extend retention from a three-month baseline toward a year or more, keeping research and compliance data available at lower cost
  • AI-assisted investigation to act as a force multiplier for a three-person operation, summarizing alerts, correlating events, and explaining detections, with the team making the judgment calls.
  • Threat intelligence feeds to enrich alerts and improve detection, an area the team is building maturity in.
  • Application performance monitoring adopted from the start of new development projects, so observability is built in by design.

VUB is realistic about AI in particular. The Elastic AI Agent works with an external large language model, which raises real questions about data protection and cost in an academic setting where sensitive data cannot simply be sent to an outside service. The team is evaluating how to adopt it securely, including approaches like retrieval augmented generation (RAG) that protect data before it reaches a model. Elastic's model-agnostic approach, including the option of on-premises and air-gapped models, is directly relevant to that evaluation.

Vrije Universiteit Brussel is a public research university serving thousands of students and researchers across a deliberately open, decentralized estate. Your organization may not be running 64 billion events across a campus like VUB's today, but the same principles apply whether you are starting with a handful of data sources or scaling to a multi-tier deployment: Centralize the data first, normalize it so it can be understood, and build detection and investigation on a foundation you control.

See how Elastic Security helps small teams run security operations at scale, or start now with a free trial.

Topics: Elastic Security, SIEM, Elastic Observability, Elasticsearch, Logstash, Elastic Agent, Filebeat, Metricbeat, Packetbeat, Index Lifecycle Management, tiered storage, on-premises deployment, NIS2, CyFUN, anomaly detection, log analytics, Education/Non-Profit