Wazuh — Open Source XDR & SIEM Security Platform

Introduction

Wazuh grew out of the classic OSSEC host intrusion detection project and today is a full security operations platform. It bundles log analysis, file integrity monitoring, vulnerability detection, configuration assessment, threat intelligence, and incident response into a single stack — all open source under the GPLv2.

What Wazuh Does

• Runs agents on Windows, Linux, macOS, AIX, Solaris, and HP-UX that stream security events to the manager.
• Performs file integrity monitoring, rootcheck, system inventory, and SCA (CIS benchmarks).
• Correlates logs with 4000+ built-in rules mapped to MITRE ATT&CK techniques.
• Detects vulnerabilities by matching installed packages against CVE feeds.
• Executes active responses (firewall block, process kill, user disable) on the endpoint.

Architecture Overview

Three services make up the platform. The Wazuh manager receives agent data, runs the analysis engine, and stores alerts. The Wazuh indexer is a fork of OpenSearch used for long-term storage and querying. The Wazuh dashboard is a forked OpenSearch Dashboards with Wazuh-specific apps. Agents talk to the manager over TLS on port 1514/1515; the indexer and dashboard are reachable over HTTPS.

Self-Hosting & Configuration

• Use wazuh-install.sh -a for a quick all-in-one box, or -wi/-s/-d for distributed roles.
• For Kubernetes, deploy via the official wazuh-kubernetes manifests or Helm chart.
• Cluster mode: add worker managers with cluster section in ossec.conf for HA event ingestion.
• Tune rule/decoder sets under /var/ossec/etc/rules/local_rules.xml and reload with wazuh-control restart.
• Integrate with Slack, Jira, PagerDuty, VirusTotal, and MISP via built-in integration scripts.

Key Features

• Free, open-source SIEM + XDR + FIM + SCA + Vulnerability Detection in one stack.
• Pre-built MITRE ATT&CK mapping, compliance dashboards (PCI DSS, HIPAA, NIST 800-53, GDPR).
• Cloud security: AWS CloudTrail, GuardDuty, Azure, GCP, Microsoft 365, and Docker/Kubernetes audit logs.
• Active response framework for automated containment directly on endpoints.
• Role-based access control and SAML SSO in the dashboard.

Comparison with Similar Tools

• Elastic Security / ELK SIEM — richer ML but requires paid tiers for features Wazuh gives away.
• Splunk — extremely powerful, commercial; Wazuh is the open-source, self-hosted alternative.
• OSSEC — the HIDS Wazuh forked from; Wazuh adds UI, SIEM, compliance, and modern packaging.
• Security Onion — distribution bundling Suricata + Wazuh + ELK; different scope, complementary.
• CrowdStrike / SentinelOne — closed-source EDR SaaS; Wazuh gives you EDR-style telemetry on-prem.

FAQ

Q: Is Wazuh really fully open source? A: Yes. Server, agents, indexer, and dashboard are all GPLv2/Apache 2 licensed — no paid edition required.

Q: How heavy is the agent? A: Typically 30–60 MB RAM and minimal CPU; configurable modules let you disable what you don''t need.

Q: Can it replace my commercial SIEM? A: For many mid-market orgs, yes. Enterprise buyers often use Wazuh alongside a SOC service for 24/7 coverage.

Q: Does it support Windows event logs natively? A: Yes — the agent ships EventChannel collection and parses Sysmon events into rich alerts.

Sources

• https://github.com/wazuh/wazuh
• https://documentation.wazuh.com