# Wazuh — Open Source XDR & SIEM Security Platform > Wazuh is a unified open-source security platform that combines SIEM, XDR, and cloud-security posture management, powered by a lightweight agent on every endpoint. ## Install Save in your project root: # Wazuh — Open Source XDR & SIEM Security Platform ## Quick Use ```bash # Single-node deployment (server + indexer + dashboard) with the official installer curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh sudo bash ./wazuh-install.sh -a # Install an agent on a Linux endpoint curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.3-1_amd64.deb sudo WAZUH_MANAGER="10.0.0.10" dpkg -i wazuh-agent_4.7.3-1_amd64.deb sudo systemctl enable --now wazuh-agent # Open the dashboard at https:// and log in as "admin" ``` ## Introduction Wazuh grew out of the classic OSSEC host intrusion detection project and today is a full security operations platform. It bundles log analysis, file integrity monitoring, vulnerability detection, configuration assessment, threat intelligence, and incident response into a single stack — all open source under the GPLv2. ## What Wazuh Does - Runs agents on Windows, Linux, macOS, AIX, Solaris, and HP-UX that stream security events to the manager. - Performs file integrity monitoring, rootcheck, system inventory, and SCA (CIS benchmarks). - Correlates logs with 4000+ built-in rules mapped to MITRE ATT&CK techniques. - Detects vulnerabilities by matching installed packages against CVE feeds. - Executes active responses (firewall block, process kill, user disable) on the endpoint. ## Architecture Overview Three services make up the platform. The **Wazuh manager** receives agent data, runs the analysis engine, and stores alerts. The **Wazuh indexer** is a fork of OpenSearch used for long-term storage and querying. The **Wazuh dashboard** is a forked OpenSearch Dashboards with Wazuh-specific apps. Agents talk to the manager over TLS on port 1514/1515; the indexer and dashboard are reachable over HTTPS. ## Self-Hosting & Configuration - Use `wazuh-install.sh -a` for a quick all-in-one box, or `-wi`/`-s`/`-d` for distributed roles. - For Kubernetes, deploy via the official `wazuh-kubernetes` manifests or Helm chart. - Cluster mode: add worker managers with `cluster` section in `ossec.conf` for HA event ingestion. - Tune rule/decoder sets under `/var/ossec/etc/rules/local_rules.xml` and reload with `wazuh-control restart`. - Integrate with Slack, Jira, PagerDuty, VirusTotal, and MISP via built-in integration scripts. ## Key Features - Free, open-source SIEM + XDR + FIM + SCA + Vulnerability Detection in one stack. - Pre-built MITRE ATT&CK mapping, compliance dashboards (PCI DSS, HIPAA, NIST 800-53, GDPR). - Cloud security: AWS CloudTrail, GuardDuty, Azure, GCP, Microsoft 365, and Docker/Kubernetes audit logs. - Active response framework for automated containment directly on endpoints. - Role-based access control and SAML SSO in the dashboard. ## Comparison with Similar Tools - **Elastic Security / ELK SIEM** — richer ML but requires paid tiers for features Wazuh gives away. - **Splunk** — extremely powerful, commercial; Wazuh is the open-source, self-hosted alternative. - **OSSEC** — the HIDS Wazuh forked from; Wazuh adds UI, SIEM, compliance, and modern packaging. - **Security Onion** — distribution bundling Suricata + Wazuh + ELK; different scope, complementary. - **CrowdStrike / SentinelOne** — closed-source EDR SaaS; Wazuh gives you EDR-style telemetry on-prem. ## FAQ **Q: Is Wazuh really fully open source?** A: Yes. Server, agents, indexer, and dashboard are all GPLv2/Apache 2 licensed — no paid edition required. **Q: How heavy is the agent?** A: Typically 30–60 MB RAM and minimal CPU; configurable modules let you disable what you don''t need. **Q: Can it replace my commercial SIEM?** A: For many mid-market orgs, yes. Enterprise buyers often use Wazuh alongside a SOC service for 24/7 coverage. **Q: Does it support Windows event logs natively?** A: Yes — the agent ships EventChannel collection and parses Sysmon events into rich alerts. ## Sources - https://github.com/wazuh/wazuh - https://documentation.wazuh.com --- Source: https://tokrepo.com/en/workflows/c2ce4716-38ce-11f1-9bc6-00163e2b0d79 Author: AI Open Source