Wazuh is the world's leading free, open-source security platform that provides unified SIEM (Security Information and Event Management), XDR (Extended Detection and Response), and HIDS (Host-based Intrusion Detection System) capabilities. Originally forked from OSSEC in 2015, Wazuh has evolved into a comprehensive security monitoring solution trusted by thousands of organizations worldwide.
In a world where commercial SIEM solutions like Splunk cost $50,000 - $500,000+ per year, Wazuh delivers enterprise-grade security monitoring at zero license cost. For SOC analysts, system administrators, and security engineers, Wazuh has become the go-to platform for building a professional security operations center without breaking the budget.
Key Fact: Wazuh monitors over 20 million endpoints globally, processes billions of security events daily, and has 30,000+ GitHub stars. It's the most deployed open-source SIEM in the world — and it's completely free, with no "enterprise edition" paywall.
What Does Wazuh Do?
| Capability | What It Does | Example Use Case |
|---|---|---|
| Intrusion Detection (HIDS) | Monitors system calls, file changes, registry, and rootkits | Detect unauthorized SSH login attempts |
| Log Analysis | Collects, parses, and correlates logs from all sources | Aggregate syslog, Apache, nginx, auth logs |
| File Integrity Monitoring (FIM) | Tracks changes to critical files and directories | Alert when /etc/passwd or web files are modified |
| Vulnerability Detection | Scans installed packages against CVE databases | Find unpatched OpenSSL or Apache versions |
| Configuration Assessment (SCA) | Audits systems against CIS benchmarks and best practices | Check if SSH root login is disabled |
| Regulatory Compliance | Maps alerts to compliance frameworks | PCI DSS, HIPAA, GDPR, NIST 800-53 reporting |
| Active Response | Automated countermeasures when threats are detected | Auto-block IPs after brute-force attacks |
| Cloud Security (CSPM) | Monitors AWS, Azure, GCP configurations | Detect publicly exposed S3 buckets |
| Container Security | Monitors Docker and Kubernetes environments | Detect privileged container launches |
| Threat Intelligence | Integrates IoC feeds for threat detection | Match network traffic against known C2 servers |
Wazuh Architecture
Wazuh uses a server-agent architecture with three main components:
| Component | Role | Technology |
|---|---|---|
| Wazuh Indexer | Stores and indexes security events (search engine) | OpenSearch-based (Elasticsearch fork) |
| Wazuh Server | Analyzes data from agents, triggers alerts, runs decoders & rules | C, Python — core analysis engine |
| Wazuh Dashboard | Web UI for visualization, alerting, and management | OpenSearch Dashboards (Kibana fork) |
| Wazuh Agent | Installed on monitored endpoints, collects and forwards data | C — lightweight, cross-platform |
Data Flow:
Endpoints (Agents) → Wazuh Server (Analysis) → Wazuh Indexer (Storage) → Dashboard (Visualization)
Agents collect logs, system events, and file changes → Server applies decoders, rules, and correlation → Indexer stores enriched events → Dashboard shows alerts, compliance status, and analytics.
Minimum Hardware Requirements
| Deployment Size | Agents | CPU | RAM | Storage |
|---|---|---|---|---|
| Small (Home Lab) | 1–25 | 4 vCPU | 8 GB | 50 GB SSD |
| Medium (SMB) | 25–100 | 8 vCPU | 16 GB | 200 GB SSD |
| Large (Enterprise) | 100–1,000 | 16 vCPU | 32 GB | 500 GB+ SSD |
| Enterprise (Multi-node) | 1,000+ | Cluster | 64 GB+ per node | TB-scale NVMe |
Installing Wazuh: All-in-One (Single Server)
The fastest way to deploy Wazuh for testing or small environments:
# All-in-One installation (server + indexer + dashboard)
# Download and run the Wazuh installation assistant
curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.9/config.yml
# Edit config.yml — set your server IP
vim config.yml
# nodes:
# indexer:
# - name: wazuh-indexer
# ip: "YOUR_SERVER_IP"
# server:
# - name: wazuh-server
# ip: "YOUR_SERVER_IP"
# dashboard:
# - name: wazuh-dashboard
# ip: "YOUR_SERVER_IP"
# Run the installer
sudo bash wazuh-install.sh --generate-config-files
sudo bash wazuh-install.sh --wazuh-indexer wazuh-indexer
sudo bash wazuh-install.sh --start-cluster
sudo bash wazuh-install.sh --wazuh-server wazuh-server
sudo bash wazuh-install.sh --wazuh-dashboard wazuh-dashboard
# Access the dashboard
# URL: https://YOUR_SERVER_IP
# Default user: admin
# Password: shown at end of installationDocker Deployment (Recommended for Labs)
# Clone Wazuh Docker repository
git clone https://github.com/wazuh/wazuh-docker.git -b v4.9.0
cd wazuh-docker/single-node
# Generate SSL certificates
docker compose -f generate-indexer-certs.yml run --rm generator
# Start Wazuh stack
docker compose up -d
# Check status
docker compose ps
# Dashboard available at: https://localhost:443
# API available at: https://localhost:55000
# Default credentials: admin / SecretPassword
# View logs
docker compose logs -f wazuh.managerLab Tip: Docker deployment is perfect for home labs, training, and SIEM/SOC practice. You can deploy a full Wazuh stack on a single VPS or even a Raspberry Pi (with sufficient RAM). For production, use the native installation or a multi-node cluster.
Agent Deployment
Linux Agent Installation
# RHEL/CentOS/AlmaLinux
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo << 'EOF'
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
WAZUH_MANAGER="10.0.0.100" yum install wazuh-agent -y
systemctl daemon-reload
systemctl enable --now wazuh-agent
# Debian/Ubuntu
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring \
--keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" \
| tee /etc/apt/sources.list.d/wazuh.list
WAZUH_MANAGER="10.0.0.100" apt-get install wazuh-agent -y
systemctl daemon-reload
systemctl enable --now wazuh-agent
# Verify agent connection
sudo /var/ossec/bin/wazuh-control status
sudo cat /var/ossec/logs/ossec.log | tail -20Windows Agent Installation
# PowerShell (Administrator)
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi `
-OutFile $env:tmp\wazuh-agent.msi
# Install with manager IP
msiexec.exe /i $env:tmp\wazuh-agent.msi /q `
WAZUH_MANAGER="10.0.0.100" `
WAZUH_AGENT_NAME="win-server-01" `
WAZUH_AGENT_GROUP="windows-servers"
# Start the service
NET START WazuhAgent Deployment at Scale (Ansible)
# Ansible playbook for mass agent deployment
---
- name: Deploy Wazuh Agent to all Linux servers
hosts: all_linux_servers
become: yes
vars:
wazuh_manager_ip: "10.0.0.100"
wazuh_agent_group: "linux-servers"
tasks:
- name: Import Wazuh GPG key
rpm_key:
key: https://packages.wazuh.com/key/GPG-KEY-WAZUH
state: present
when: ansible_os_family == "RedHat"
- name: Add Wazuh repository
yum_repository:
name: wazuh
description: Wazuh repository
baseurl: https://packages.wazuh.com/4.x/yum/
gpgcheck: yes
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
when: ansible_os_family == "RedHat"
- name: Install Wazuh agent
package:
name: wazuh-agent
state: present
environment:
WAZUH_MANAGER: "{{ wazuh_manager_ip }}"
WAZUH_AGENT_GROUP: "{{ wazuh_agent_group }}"
- name: Enable and start Wazuh agent
systemd:
name: wazuh-agent
enabled: yes
state: startedKey Features Deep Dive
1. File Integrity Monitoring (FIM)
# /var/ossec/etc/ossec.conf — FIM configuration
<syscheck>
<frequency>300</frequency> <!-- Check every 5 minutes -->
<alert_new_files>yes</alert_new_files>
<!-- Critical system files -->
<directories realtime="yes" check_all="yes">/etc/passwd,/etc/shadow,/etc/group</directories>
<directories realtime="yes" check_all="yes">/etc/ssh/sshd_config</directories>
<directories realtime="yes" check_all="yes">/etc/sudoers,/etc/sudoers.d</directories>
<!-- Web application files -->
<directories realtime="yes" report_changes="yes">/var/www/html</directories>
<!-- Crontabs -->
<directories realtime="yes" check_all="yes">/etc/crontab,/etc/cron.d</directories>
<!-- Ignore false positives -->
<ignore>/var/www/html/cache</ignore>
<ignore type="sregex">\.log$</ignore>
</syscheck>2. Custom Detection Rules
# /var/ossec/etc/rules/local_rules.xml
<group name="custom_rules">
<!-- Detect multiple failed SSH logins (brute force) -->
<rule id="100001" level="10" frequency="5" timeframe="120">
<if_matched_sid>5710</if_matched_sid>
<description>SSH brute force attack detected (5+ failures in 2 min)</description>
<mitre>
<id>T1110</id> <!-- Brute Force -->
</mitre>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_11.4,</group>
</rule>
<!-- Detect new user creation -->
<rule id="100002" level="8">
<if_sid>5901</if_sid>
<match>useradd</match>
<description>New user account created: $(account)</description>
<mitre>
<id>T1136</id> <!-- Create Account -->
</mitre>
<group>account_changed,pci_dss_8.1.2,gdpr_II_5.1.f,</group>
</rule>
<!-- Detect web shell upload (PHP) -->
<rule id="100003" level="12">
<if_sid>550</if_sid>
<match>/var/www</match>
<regex>\.php$</regex>
<description>New PHP file created in web directory — possible web shell</description>
<mitre>
<id>T1505.003</id> <!-- Web Shell -->
</mitre>
<group>web,attack,</group>
</rule>
<!-- Detect sudo to root -->
<rule id="100004" level="5">
<if_sid>5402</if_sid>
<match>USER=root</match>
<description>User $(srcuser) executed command as root via sudo</description>
<group>sudo,pci_dss_10.2.2,</group>
</rule>
</group>3. Active Response (Automated Countermeasures)
# /var/ossec/etc/ossec.conf — Active Response configuration
<!-- Auto-block IPs after brute force detection -->
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100001</rules_id>
<timeout>3600</timeout> <!-- Block for 1 hour -->
</active-response>
<!-- Disable compromised user account -->
<active-response>
<command>disable-account</command>
<location>local</location>
<rules_id>100010</rules_id> <!-- Triggered by account compromise rule -->
<timeout>no</timeout> <!-- Permanent until admin reviews -->
</active-response>Wazuh vs Commercial SIEM Solutions
| Feature | Wazuh | Splunk | ELK Stack | Microsoft Sentinel |
|---|---|---|---|---|
| License Cost | Free (open source) | $50K–$500K+/year | Free core / paid features | Pay per GB ingested |
| HIDS (Agent-based) | Built-in | Add-on (UF) | Requires Beats | MDE integration |
| Vulnerability Detection | Built-in | Add-on | External tools | Defender integration |
| File Integrity (FIM) | Built-in | Add-on | External (AIDE) | FIM workbook |
| Compliance Reporting | PCI, HIPAA, GDPR, NIST | Enterprise add-ons | Manual setup | Workbooks |
| Active Response | Built-in | SOAR add-on | External | Logic Apps |
| Cloud Monitoring | AWS, Azure, GCP | Extensive | Manual | Azure native |
| MITRE ATT&CK Mapping | Built-in | App | Manual | Built-in |
| Docker/K8s Monitoring | Built-in | Add-on | Beats | Container Insights |
| Learning Curve | Moderate | Moderate-High | High | Moderate |
| Community | 30K+ GitHub stars | Enterprise support | Large community | Microsoft support |
Cost Comparison: A 100-agent Wazuh deployment costs only infrastructure (~$50-200/month on a VPS). The same coverage with Splunk Enterprise would cost $100,000+/year. Even Splunk Cloud starts at approximately $15,000/year. Wazuh makes enterprise SIEM accessible to organizations of any size.
Compliance Frameworks in Wazuh
Wazuh automatically maps security events to regulatory compliance requirements:
| Framework | Industry | What Wazuh Covers |
|---|---|---|
| PCI DSS 4.0 | Payment card industry | Requirements 1, 2, 5, 6, 8, 10, 11 |
| HIPAA | Healthcare | Access controls, audit controls, integrity |
| GDPR | EU data protection | Articles 5, 25, 30, 32, 33, 35 |
| NIST 800-53 | US government | AC, AU, CM, IA, SI, RA control families |
| SOC 2 | Service organizations | Security, availability, processing integrity |
| CIS Benchmarks | All industries | Automated SCA checks against CIS profiles |
Real-World SOC Integration
How Wazuh fits into a professional Security Operations Center:
| SOC Function | Wazuh Role | Integration |
|---|---|---|
| Tier 1 — Alert Triage | Dashboard with severity-based alert queue | Slack/Teams/PagerDuty notifications |
| Tier 2 — Investigation | Deep event correlation, MITRE mapping | TheHive, MISP, VirusTotal |
| Tier 3 — Threat Hunting | Custom rules, CDB lists, advanced queries | YARA rules, Sigma rules |
| Incident Response | Active response, forensic data | Shuffle SOAR, custom scripts |
| Compliance Reporting | Built-in dashboards for PCI/HIPAA/GDPR | PDF export, scheduled reports |
Wazuh Alert Levels
| Level | Severity | Description | Example |
|---|---|---|---|
| 0–3 | Informational | Normal operations, no action needed | Successful login, service start |
| 4–7 | Warning | Unusual activity, should investigate | First failed login, config change |
| 8–11 | High | Significant threat, immediate investigation | Multiple failed logins, FIM alert |
| 12–15 | Critical | Active attack, immediate response required | Rootkit detected, web shell, brute force |
Wazuh API: Automation & Integration
# Authenticate with Wazuh API
TOKEN=$(curl -s -u "wazuh-wui:wazuh-wui" -k \
-X POST "https://localhost:55000/security/user/authenticate" | \
jq -r '.data.token')
# List all agents
curl -s -k -X GET "https://localhost:55000/agents" \
-H "Authorization: Bearer $TOKEN" | jq '.data.affected_items[] | {id, name, status, os: .os.name}'
# Get security alerts (last 24 hours)
curl -s -k -X GET "https://localhost:55000/alerts" \
-H "Authorization: Bearer $TOKEN" \
-d '{"limit": 20, "sort": "-timestamp"}' | jq
# Get vulnerability inventory for an agent
curl -s -k -X GET "https://localhost:55000/vulnerability/001" \
-H "Authorization: Bearer $TOKEN" | jq '.data.affected_items[] | {cve: .cve, name: .name, severity: .severity}'
# Restart an agent remotely
curl -s -k -X PUT "https://localhost:55000/agents/001/restart" \
-H "Authorization: Bearer $TOKEN"Wazuh Career Impact
SIEM skills — especially with Wazuh — are among the most in-demand in cybersecurity:
| Role | Salary (US) | Salary (EU) | Wazuh Relevance |
|---|---|---|---|
| SOC Analyst (L1) | $55,000 – $80,000 | €40,000 – €55,000 | Core tool |
| SOC Analyst (L2) | $80,000 – $110,000 | €55,000 – €80,000 | Core tool |
| SOC Analyst (L3 / Lead) | $110,000 – $150,000 | €75,000 – €110,000 | Architecture & tuning |
| Security Engineer | $120,000 – $180,000 | €80,000 – €130,000 | Deployment & integration |
| Detection Engineer | $130,000 – $190,000 | €90,000 – €140,000 | Custom rule development |
| SIEM Administrator | $100,000 – $145,000 | €70,000 – €100,000 | Primary responsibility |
Why Wazuh on Your Resume Matters: Many organizations are migrating from expensive Splunk deployments to Wazuh. Professionals who can deploy, configure, and tune Wazuh are in high demand — especially at startups, MSPs (Managed Security Service Providers), and mid-size enterprises looking to build cost-effective security operations.
Getting Started: 30-Day Wazuh Learning Path
| Week | Focus | Activities |
|---|---|---|
| 1 | Setup & Basics | Docker deployment, dashboard exploration, deploy 2-3 agents, understand alert flow |
| 2 | Detection & Monitoring | Configure FIM, understand built-in rules, explore vulnerability detection, setup SCA |
| 3 | Custom Rules & Response | Write custom rules, configure active response, integrate with Slack/email, MITRE mapping |
| 4 | Advanced & Integration | API automation, compliance dashboards, threat intel feeds, simulate attacks with Atomic Red Team |
Recommended Books for SIEM & Security:
- Linux Intrusion Detection with OSSEC & Wazuh — €14.90
- SOC Analyst Fundamentals — €11.90
- SOC Analyst Advanced: Incident Response & Forensics — €15.90
- Linux Security Hardening — €14.90
- Linux Security Auditing — €14.90
- Cybersecurity Fundamentals — €24.90
- Network Security Basics — €19.90
- Network Security Fundamentals — €19.90
- Docker Security & Production Hardening — €12.90
- Kubernetes Security & Best Practices — €14.90
- Ansible Automation: From Zero to Production — €24.90
- Security+ Certification Guide — €22.90
Further Reading on Dargslan
- Linux Security Hardening 2026: Complete Server Protection Guide
- SOC Analyst Career Guide 2026
- RHCSA EX200 Exam Guide 2026
- Docker vs Kubernetes: What's the Difference?
- Grok AI Complete Guide 2026
- Ubuntu 24.04 LTS Server Administration
- IT Certification Roadmap 2026
Final Verdict
Wazuh is the most capable free security platform available today. It delivers SIEM, XDR, HIDS, vulnerability detection, file integrity monitoring, compliance reporting, and automated response — all without a single dollar in license fees.
For SOC analysts and security engineers, Wazuh expertise is a career accelerator. As organizations increasingly move away from expensive commercial SIEMs, professionals who can deploy and tune Wazuh are building the next generation of security operations centers.
For organizations, Wazuh means enterprise-grade security monitoring without enterprise pricing. Whether you're a startup with 5 servers or a mid-size company with 500 endpoints, Wazuh scales to meet your needs — and it grows with you.
Start with a Docker lab today. Deploy a few agents. Write your first custom rule. The learning curve is manageable, the community is supportive, and the career payoff is substantial.
Master Wazuh & Intrusion Detection
Build your SIEM lab and learn enterprise security monitoring:
Get Linux Intrusion Detection with OSSEC & Wazuh →
