Exploring Wazuh: A Comprehensive Open-Source XDR and SIEM Solution

Listen to this Post

Featured Image
Wazuh is an open-source XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) platform designed to monitor, detect, and respond to threats across endpoints, servers, containers, and cloud environments.

Key Features of Wazuh:

🔵 Log Analysis & Intrusion Detection – Real-time log parsing and correlation.
🔵 File Integrity Monitoring (FIM) – Detects unauthorized file changes.
🔵 Configuration Assessment & Vulnerability Detection – Scans for misconfigurations and CVEs.
🔵 Regulatory Compliance – Supports PCI DSS, GDPR, HIPAA, CIS, and NIST 800-53.

Core Components of Wazuh:

🔵 Agents – Installed on endpoints to collect logs, monitor files, and detect malware.
🔵 Server – Processes data, applies detection rules, and manages agents.
🔵 Indexer – Stores and indexes alerts and events.
🔵 Dashboard – Web-based UI for visualization and analysis.

You Should Know: Essential Wazuh Commands & Configurations

1. Installing Wazuh

On Linux (Ubuntu/Debian):

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && sudo chmod 644 /usr/share/keyrings/wazuh.gpg 
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list 
sudo apt update 
sudo apt install wazuh-manager wazuh-agent 
sudo systemctl enable --now wazuh-manager 
sudo systemctl enable --now wazuh-agent 

On Windows (Agent Installation via PowerShell):

Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.2-1.msi" -OutFile "wazuh-agent.msi" 
msiexec.exe /i wazuh-agent.msi /qn WAZUH_MANAGER='wazuh-server-ip' WAZUH_REGISTRATION_SERVER='wazuh-server-ip' 

2. Managing Wazuh Agents

  • List Active Agents:
    /var/ossec/bin/agent_control -l 
    
  • Restart an Agent:
    systemctl restart wazuh-agent 
    

3. File Integrity Monitoring (FIM) Setup

Edit the Wazuh agent config (`/var/ossec/etc/ossec.conf`):

<syscheck> 
<directories check_all="yes" realtime="yes">/etc,/usr/bin,/usr/sbin</directories> 
</syscheck> 

Then restart the agent:

systemctl restart wazuh-agent 

4. Checking Alerts & Logs

  • View Wazuh Alerts:
    tail -f /var/ossec/logs/alerts/alerts.json 
    
  • Check Agent Logs:
    journalctl -u wazuh-agent -f 
    
    1. Integrating Wazuh with TheHive & Cortex (XSOAR Stack)
  • Use Wazuh Webhook to forward alerts to TheHive:
    curl -XPOST "http://thehive-server:9000/api/v1/alert" -H "Authorization: Bearer API_KEY" -H "Content-Type: application/json" -d '{"title":"Wazuh Alert","description":"Malware detected"}' 
    

What Undercode Say

Wazuh is a powerful, free alternative to commercial SIEM/XDR solutions. Its modular architecture allows seamless integration with threat intelligence platforms like MISP, TheHive, and Cortex. For SOC teams, Wazuh’s real-time FIM and log correlation capabilities make it indispensable. Future enhancements may include deeper SOAR integrations and AI-driven anomaly detection.

Prediction

As cyber threats evolve, Wazuh will likely expand its cloud-native detection capabilities, possibly integrating machine learning for behavioral analysis. Expect tighter Kubernetes monitoring and automated incident response workflows.

Expected Output:

✅ Wazuh Installed & Running

✅ Agents Actively Reporting

✅ FIM Monitoring Critical Directories

✅ Alerts Forwarded to TheHive

🔗 Useful Links:

References:

Reported By: Regissenet On – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram