Wazuh
Free open-source security monitoring platform providing unified XDR and SIEM with file integrity monitoring, vulnerability detection, and compliance assessment.
Continue your mission
Free open-source security monitoring platform providing unified XDR and SIEM with file integrity monitoring, vulnerability detection, and compliance assessment.
# Wazuh
Wazuh is a free, open-source unified security platform that combines extended detection and response (XDR) with security information and event management (SIEM) capabilities in a single deployable stack. It exists because most organizations require continuous visibility into endpoint activity, log data, file integrity, and configuration posture, but cannot justify the licensing costs of commercial SIEM platforms. Wazuh solves the coverage gap between expensive enterprise tools and having no centralized monitoring at all. Originally forked from OSSEC in 2015, the platform has matured into a production-grade solution trusted by thousands of organizations across government, healthcare, financial services, and critical infrastructure sectors. It collects, normalizes, correlates, and alerts on security-relevant data from across an environment, giving security teams the situational awareness they need to detect intrusions, assess risk, and respond to incidents.
---
Wazuh is an open-source security monitoring platform that provides log analysis, intrusion detection, file integrity monitoring (FIM), vulnerability detection, security configuration assessment (SCA), and active incident response through a unified architecture. It is classified simultaneously as a host-based intrusion detection system (HIDS), a log management platform, and an XDR solution depending on how it is deployed and what integrations are active.
Wazuh is distinct from standalone SIEM products such as Splunk or IBM QRadar in several important ways. First, it ships with its own lightweight agent that performs detection logic at the endpoint, rather than relying solely on passive log forwarding. Second, it includes native active response capabilities that can execute countermeasures automatically without requiring a separate SOAR platform. Third, it is entirely free under the GNU General Public License, with no licensing fees for any feature set.
Wazuh is not a network intrusion detection system (NIDS). It does not inspect network packet payloads or analyze east-west traffic flows natively. It is not a vulnerability scanner in the active probing sense; its vulnerability detection module correlates installed software versions against CVE databases rather than sending probes across the network. It is also not a replacement for endpoint detection and response (EDR) tools that perform deep behavioral analysis with machine learning models, though it does cover significant EDR-adjacent ground through its FIM and syscall auditing capabilities.
Deployment variants include agent-based monitoring for Windows, Linux, and macOS endpoints; agentless monitoring for network devices via syslog; and cloud-native integrations with AWS, Azure, and Google Cloud Platform through native APIs. The platform also integrates with threat intelligence feeds through its VirusTotal and MISP connectors, extending its detection capability beyond the built-in rule set.
---
Wazuh operates through a four-component architecture: the Wazuh Agent, the Wazuh Manager, the Wazuh Indexer, and the Wazuh Dashboard.
Agent collection and local analysis
The Wazuh Agent is installed on monitored endpoints and runs continuously with a minimal footprint, typically consuming less than 50 MB of RAM. The agent performs several simultaneous functions. It collects operating system logs, application logs, and security event logs from native sources such as the Windows Event Log, Linux syslog, and macOS Unified Logging System. It monitors designated file paths and registry keys for unauthorized changes using cryptographic checksums (SHA-256 by default). It audits running processes, loaded kernel modules, and active network connections. On Linux systems, it integrates with the auditd subsystem to capture granular syscall activity, including file access, privilege escalation attempts, and process execution chains.
Agents communicate with the Wazuh Manager over a persistent, encrypted TCP connection using AES encryption. Events are transmitted in near real-time. The agent also performs local pre-decoding and buffering so that if connectivity to the manager is temporarily lost, no events are dropped.
Manager analysis engine
The Wazuh Manager is the central processing brain. When events arrive from agents, the manager's analysis engine runs them through a multi-stage pipeline. First, pre-decoders extract basic fields such as timestamp, hostname, and program name. Second, decoders parse the raw event format, whether that is a Windows XML event, a JSON log from an application, or a plain-text syslog line, into normalized fields. Third, the rule engine evaluates the decoded event against a rule set that includes over 3,000 out-of-the-box rules and can be extended with custom rules written in XML.
Rules are hierarchical and support chaining. A single failed SSH login produces a low-severity alert. Ten failed SSH logins from the same IP address within sixty seconds triggers a higher-severity brute-force rule that references the earlier alerts as its input. This correlation logic is natively built into the rule engine without requiring a separate analytics layer.
File integrity monitoring in practice
A concrete example: a healthcare organization uses Wazuh to monitor its Linux application servers. The FIM module is configured to watch /etc/passwd, /etc/shadow, and /var/www/html. An attacker who has gained a foothold through a web shell modifies /var/www/html/index.php to add a persistent backdoor. Within seconds, the Wazuh Agent detects the SHA-256 checksum change on that file, the manager correlates the change with the process that made it (the Apache web server process running under a non-administrator account), and generates a critical alert. The analyst receives an alert that includes the file path, old hash, new hash, the modifying process ID, and the user context. This is actionable forensic data, not a raw log entry requiring further enrichment.
Vulnerability detection
The vulnerability detection module runs periodically on each agent, collecting the full inventory of installed packages and their version numbers. The manager then correlates that inventory against the National Vulnerability Database (NVD) and vendor-specific advisories. If a server is running OpenSSL 1.1.1t when CVE-2023-0286 affects versions prior to 1.1.1u, the manager generates a vulnerability finding that includes the CVE identifier, severity score, affected package, and remediation guidance. This gives security teams a continuously updated view of unpatched exposure across the estate without running active scans.
Security configuration assessment
The SCA module evaluates endpoint configurations against policy files written in YAML. Wazuh ships with policies mapped to CIS Benchmarks for Windows 10, Windows Server 2019, Ubuntu, RHEL, and other common platforms. An SCA scan checks items such as whether remote registry access is disabled, whether the firewall is enabled, and whether audit policies are configured according to baseline standards. Each check produces a pass, fail, or not-applicable result with a remediation description. The SCA score gives a quantitative measure of configuration hygiene for each endpoint.
Active response
When defined thresholds are crossed, the active response module can execute scripts on the agent host. A common configuration triggers an IP block via iptables or Windows Firewall when the brute-force detection rule fires. More sophisticated configurations can quarantine a compromised host by removing it from a network segment, disable a user account in Active Directory, or send a webhook to a ticketing system. Active response scripts are fully customizable and can be written in Python, Bash, or PowerShell.
---
Without continuous security monitoring, organizations are effectively blind to attacker activity that occurs between periodic audits or vulnerability scans. The median dwell time for attackers in enterprise environments (the time between initial compromise and detection) has historically ranged from weeks to months, according to Mandiant's M-Trends reporting. A platform like Wazuh compresses that dwell time by generating alerts on the indicators of compromise that manifest during attacker activity: new user accounts created, privilege escalation events, lateral movement via remote services, and persistence mechanisms installed through scheduled tasks or startup entries.
The business impact of extended dwell time is not theoretical. In the 2020 SolarWinds supply chain attack, attackers maintained undetected access to victim environments for months. Post-incident analysis consistently found that organizations with robust endpoint telemetry and centralized log correlation detected anomalies faster than those relying on perimeter controls alone. Wazuh addresses exactly this monitoring gap.
A common misconception is that open-source security tools are suitable only for small organizations or hobbyist deployments. This is incorrect. Wazuh is deployed in regulated industries including healthcare (HIPAA), financial services (PCI DSS), and government (FedRAMP-adjacent environments), where compliance mandates require demonstrable log collection, integrity monitoring, and alerting capabilities. Wazuh's SCA module directly maps to CIS Controls and NIST SP 800-53 control families, which makes it a credible compliance tool, not just a detection tool.
Another misconception is that Wazuh replaces the need for analyst judgment. It does not. The platform generates alerts; it does not make decisions. Without a trained analyst or a defined response process, even the best-configured Wazuh deployment produces alert noise that accumulates without action. The tool is as effective as the process surrounding it.
Finally, the absence of licensing cost does not mean the absence of total cost of ownership. Deploying and maintaining Wazuh across a large environment requires engineering effort for agent deployment, rule tuning, index capacity management, and integration maintenance. Organizations should budget for this operational work explicitly.
---
CDA approaches Wazuh through the Planetary Defense Model (PDM) with primary application in the Threat Intelligence and Detection (TID) domain, with supporting relevance to Security Posture and Hygiene (SPH) and Regulatory and Governance Alignment (RGA).
Within TID, CDA applies Wazuh as a core component of the Predictive Defense Intelligence (PDI) methodology: seeing the threat before it sees you. This means the deployment is not configured to detect only known-bad signatures. CDA configures Wazuh to capture behavioral telemetry that reveals attacker tradecraft even when the specific malware or tool has never been seen before. This includes monitoring for MITRE ATT&CK technique indicators such as T1003 (credential dumping via access to LSASS memory), T1053 (scheduled task creation for persistence), and T1105 (ingress tool transfer to a compromised host via outbound connection logging cross-referenced with file creation events).
CDA builds custom Wazuh rule chains that correlate multi-step sequences rather than single events. A single PowerShell execution is not an alert. A PowerShell execution that encodes a command, spawns a child process, and then creates a new scheduled task within a thirty-second window produces a high-confidence alert mapped to a specific ATT&CK technique cluster. This type of correlation requires deliberate rule engineering, not default configuration.
In the SPH domain, CDA uses Wazuh's SCA module to establish and enforce baseline configuration standards across client environments, mapping findings directly to CIS Benchmark levels and tracking remediation over time. This converts point-in-time audit findings into a continuous measurement program.
In the RGA domain, CDA uses Wazuh's FIM and log retention capabilities as documented evidence for compliance audits, providing reviewers with verifiable records of who accessed what, when, and whether system integrity was maintained throughout the audit period.
What CDA does differently is treat Wazuh configuration as a living intelligence product. Rule sets are reviewed quarterly, agent deployment coverage is measured against asset inventory, and alert fidelity (the ratio of true positives to total alerts) is tracked as an operational metric. Configuration drift in the monitoring platform itself is treated as a security risk, not an administrative inconvenience.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.