Wazuh : The SIEM Platform

What is SIEM?

SIEM (Security Information and Event Management) software centrally collects, stores, and analyzes logs from the perimeter to the end user. It helps in monitoring security threats in real-time for quick attack detection, containment, and response with holistic security reporting and compliance management.

SIEM, pronounced “sim,” combines both security information management (SIM) and security event management (SEM) into one security management system

Long Term Log managementReal-Time Monitoring
Event enrichmentEvent Collection
CorrelationEvent Aggregation

SIEM: Capabilities

Data Aggregation: collect data from multiple sources

Correlation: Will define which sequences of events could be indicative of anomalies

Alerting: Will trigger an alert in mail/slack, etc. if any incident has been triggered

Dashboard: This will give a view of incidents, agents, and logs in graphical format.

Compliance: Verify regulatory compliance, auditors look at multiple aspects of a db. environments, including user management

Retention: To maintain your SIEM audit data for longer periods of time, you can configure a new Retention Bucket

Forensic Analysis: allows to collect and analyze log data in a central location from all devices/appliances and hosts and getting notified about abnormal events immediately.


Wazuh is a free and open-source security platform that unifies XDR and SIEM capabilities. It aims to protect workloads across on-premises, virtualized, containerized, and cloud-based environments.

These include log data analysis, intrusion, and malware detection, file integrity monitoring, configuration assessment, vulnerability detection, and support for regulatory compliance.

It can be used to collect, analyze and correlate security event data for threat detection and incident response. Wazuh has out-of-the-box integration with Mod Security which eliminates the need for creating custom integration.

Wazuh Components:

The Wazuh solution is based on the Wazuh agent, which is deployed on the monitored endpoints, and on three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard.

The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.

The Wazuh server analyses data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.

The Wazuh dashboard is the web user interface for data visualization and analysis. This includes out-of-the-box dashboards for security events, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), file integrity monitoring data, detected vulnerable applications, configuration assessment results, cloud infrastructure monitoring events, and much more. It also helps in managing Wazuh configuration and monitoring its status.

Wazuh agents are installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. They provide threat prevention, detection, and response capabilities. They run on operating systems such as Linux, Windows, macOS, Solaris, AIX, and HP-UX.

Wazuh Architecture:

Wazuh Manager:

Wazuh manager is the system that analyzes the data received from all registered agents and triggers alerts when an event coincides with a rule. For example, intrusion detected, file modified, configuration not in accordance with the policy, possible rootkit, among others.

File beat:

Filebeat can be used in conjunction with Wazuh Manager to send events and alerts to the Wazuh indexer. This role will install Filebeat, you can customize the installation with these variables:

filebeat_output_indexer_hosts: This defines the indexer node(s) to be used (default:

Elastic Search:

Elasticsearch is a distributed, free and open search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured.

Elasticsearch indices:
The .kibana index
The wazuh-alerts- indices
The wazuh-monitoring- indices
The wazuh-statistics- indices


Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. It also allows you to manage the configuration and capabilities of the Wazuh server.

Wazuh Agent:

The Wazuh agent is multi-platform and runs on the hosts that the user wants to monitor. It communicates with the Wazuh manager, sending data in near real-time through an encrypted and authenticated channel.

Wazuh Installation:

Wazuh Server:


Ansible Role: Wazuh-Manager
Ansible role to configure wazuh manager standalone with slack integration

Some of the highlighting features are:-
Standalone setup of Wazuh-manager
Setup Slack for alert management

Supported OS

Ubuntu 18
Ubuntu 20
Ubuntu 22

No third-party requirement is needed in this role

Step 1:

Navigate to https://galaxy.ansible.com/opstree_devops/wazuh_manager

Installation: ansible-galaxy install opstree_devops.wazuh_manager

Step 2:

The inventory for wazuh_manager role should look like this:-

node-1 ansible_host=

Step 3:

An example playbook should look like this:-

name: wazuh
hosts: all
become_user: root
{ role: opstree_devops.wazuh_manager }

Step 4:

For running the ansible role, we will use ansible cli.

ansible-playbook -i tests/inventory tests/test.yml

Step 5:

Required Ports

Wazuh server1514TCP/UDPAgent connection service
1515TCPAgent enrollment service
1516TCPWazuh cluster daemon
Wazuh Syslog collector (disabled by default)
55000TCPWazuh server RESTful API
Wazuh indexer9200TCPWazuh indexer RESTful API
9300-9400TCPWazuh indexer cluster communication
Wazuh dashboard443TCPWazuh web user interface

Step 6:

Open the public ip in the browser

Default username: admin , password: admin

Wazuh Agent:

Ansible role to setup & manage Wazuh-Agent

Some of the highlighting features added:-

Setup wazuh agent
Enabling File Integration Management(FIM) over server
Enabling user audit information gathering setup over node
Enabling system check over servers home directory.
Configure N number of application in wazuh agent for log aggregation

Supported OS

Ubuntu 18
Ubuntu 20
Ubuntu 22

UDP port should be open

Step 1:

Navigate to https://galaxy.ansible.com/opstree_devops/wazuh_agent

Installation: ansible-galaxy install opstree_devops.wazuh_agent

Step 2:

The inventory for wazuh_manager role should look like this:-

node-1 ansible_host=

Step 3:

An example playbook should look like this:-

name: wazuh
hosts: all
become_user: root
{ role: wazuh_agent }

Step 4:

and for running the ansible role, we will use ansible cli.

ansible-playbook -i tests/inventory tests/test.yml

Wazuh modules:

Log collector:

Log data collection is the real-time process of making sense of the records generated by servers or devices. This component can receive logs through text files or Windows event logs.

Here you can manually add the path of file that you want monitor.

File integrity monitoring (FIM):

Monitors the file system, reporting when files are created, deleted, or modified and keep track of the same

Security configuration assessment:

SCA Component provide detail of Regulatory Compliance on basis of Center of Internet Security (CIS) benchmarks. Wazuh has default Compliance like PCI DSS, NIST, GDPR, TSC, HIPAA

System Auditing:

Monitors audit logs like write access, read access, execute access, attribute change, or system call rule, using Wazuh decoders and rules.

MITRE Attack:

MITRE ATTACK matrix stores all possible attacks that can be made and what to do to mitigate and detect them.

Docker Listener:

Protects container workloads at two different levels: infrastructure and container level.


Collects the information generated by Osquery to send it to the manager and detects the incidents

system_info, high_load_average and low_free_memory queries will be executed every hour further osquery-monitoring,hardware-monitoring or ossec-rootkit


Detects vulnerabilities based on installed applications

Follows CVE for Ubuntu Linux distributions, National Vulnerability Database. And many more.


Each PoC represents real-world scenarios that users can deploy using specific configurations. In addition, further information is provided to verify the feasibility of the product on how to generate and query the alerts, and the affected endpoints resulting from each PoC.

Blog Pundits: Naveen Verma and Sandeep Rawat

OpsTree is an End-to-End DevOps Solution Provider.

Connect with Us

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: