MedNamouchi/SIEM-MikroTik-Wazuh-Graylog — reverse-engineered prompt

Build me a complete SIEM setup for a small MikroTik network. I want six MikroTik CHR routers in an EVE NG lab sending security logs securely to Graylog, then Graylog should organize the logs into useful streams like firewall, login, system, auth, and info, and pass a copy to Wazuh so it can detect suspicious login behavior and brute force attempts.

Please include the actual MikroTik logging config, TLS certificate steps, Graylog setup and stream rules, rsyslog forwarding on localhost, and Wazuh decoders, rules, and alerting setup. The logs should use CEF over TLS into Graylog, then Wazuh should read the saved MikroTik log file through the agent and send encrypted events to the manager. I also want email and Mattermost alerts for serious detections.

Make it usable as both a lab guide and a production style reference, with clear steps, config files, troubleshooting notes, and a simple architecture diagram. Look up current docs online if needed.