Wazuh: When You Need a Real SIEM and Can’t Afford to Fake It
What Is It?
Wazuh is the kind of tool you end up with when off-the-shelf log collectors don’t cut it anymore. It’s open-source, aggressive on features, and brutally honest about what it does: host-based intrusion detection, file integrity, log analysis, vulnerability checks — all stitched together in one (very configurable) stack.
Originally forked from OSSEC, Wazuh grew into something much heavier, but smarter. You get full access to every rule, every decoder, every trigger. It’s loud if you let it be. But once you tune it, it becomes a serious piece of infrastructure — not just something that throws alerts, but something you can investigate with.
Capabilities
| Feature | Why It Matters |
| FIM + HIDS | Watches for changes to key system files and catches tampering early |
| Log Intake & Correlation | Parses syslog, Event Logs, auditd, journald, even cloud logs |
| Vulnerability Detection | Compares software versions to known CVEs |
| Custom Rules Engine | Write logic that fits *your* infra — not just pre-canned detections |
| Active Response | Kills connections, bans IPs, runs scripts when alerts hit |
| SIEM Backend | Ships with OpenSearch or Elastic + Kibana dashboards |
| Cloud Hooks | Talks to AWS, Azure, GCP — pulls logs and asset inventories |
| Agent Network | Lightweight agents report back in real time |
Deployment Notes
– Not plug-and-play: There’s a script that sets it up, sure — but tuning takes effort.
– Linux at the core: The main stack (manager, indexer, dashboard) runs best on Ubuntu/Debian.
– Windows supported, but verbose: Agents run fine, but logs come fast — expect noise until filtered.
– Best used in clusters: Anything above ~200 agents should be split across manager/indexer nodes.
– Needs resources: 4 vCPUs + 8 GB RAM just to get started. It scales up quickly.
Setup Workflow (One-Node Example)
1. Run the install
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a
2. Log in
– Dashboard: https://localhost:5601
– Default creds are provided at setup.
3. Deploy agents
– Linux: install via package manager, register with manager IP.
– Windows: MSI installer from official site, or manual key pairing.
4. Cut the noise
– Start disabling rules that don’t fit your use case.
– Set thresholds, group policies, and alert suppression as needed.
5. Add integrations
– Cloud logs, custom inputs, syslog pipelines, SIEM forwarding — all available.
Where It’s Useful
– You need visibility across Windows, Linux, containers, cloud — without buying a commercial SIEM.
– Security wants audit trails, and infra wants something scriptable.
– You’re replacing patchwork scripts and log tailing with something central.
– You want alerts with depth — not just that something happened, but what happened around it.
– The compliance team wants PCI-DSS and file integrity reports that don’t look like placeholders.
