Favicon of wazuh

wazuh

An open source security platform combining an endpoint agent and management server for intrusion detection, log analysis, and compliance reporting.

Wazuh is a free and open source platform for threat prevention, detection, and response, covering on-premises, virtualized, containerized, and cloud-based environments. It's built from two parts: a lightweight endpoint security agent deployed to monitored systems, and a central management server that collects and analyzes what the agents report. It's aimed at security teams that need visibility and compliance reporting across a mixed environment, rather than a single, narrow monitoring tool.

The project has its roots in OSSEC, an earlier open source intrusion detection system started by Daniel Cid, and has grown from that base into a broader security platform covering log analysis, vulnerability detection, configuration assessment, and compliance reporting alongside the original intrusion detection focus.

Key features

  • Intrusion detection: agents scan for malware, rootkits, and suspicious anomalies, including hidden files, cloaked processes, and unregistered network listeners, while the server adds signature-based detection over collected log data using a regular expression engine.
  • Log data analysis: agents forward operating system and application logs to the central manager for rule-based analysis and storage. When no agent is deployed, the server can also accept syslog directly from network devices or applications.
  • File integrity monitoring: tracks changes to file content, permissions, ownership, and attributes, and identifies which user or application made the change, useful both for threat detection and standards like PCI DSS.
  • Vulnerability detection: agents send software inventory data that's correlated against continuously updated CVE databases to flag known vulnerable software before it's exploited.
  • Configuration assessment: periodic scans check system and application configuration against your security policies or hardening guides, with customizable checks and remediation recommendations included in alerts.
  • Incident response: built-in active responses can take countermeasures automatically, such as blocking a source once certain criteria are met, and agents support remote command and query execution for live forensics and incident response.
  • Regulatory compliance reporting: dashboards and mapped alerts support PCI DSS, GPG13, and GDPR requirements.
  • Cloud and container security: integration modules pull security data from AWS, Azure, and Google Cloud, and native Docker engine integration monitors images, volumes, network settings, and running containers, including alerts for containers running in privileged mode.

Ideal use cases

Wazuh is a good fit for security teams that need one platform covering intrusion detection, log analysis, file integrity monitoring, vulnerability management, and compliance reporting across on-prem, cloud, and containerized systems, especially organizations that need to demonstrate PCI DSS, GDPR, or GPG13 compliance. It's also a reasonable choice if you already use the Elastic Stack, since Wazuh integrates with it for search and visualization, alongside its own Wazuh WUI for managing configuration and monitoring status.

It's more than most individuals or small setups need if you just want basic monitoring of a couple of personal servers. The agent-plus-manager architecture, and the breadth of modules on offer (compliance, cloud, container, vulnerability, file integrity, and more), point toward organizational deployments rather than a single lightweight watchdog process.

Installation

The README doesn't include copy-paste install commands. It points to the official installation guide instead:

For automated deployment, the Wazuh team maintains separate orchestration repositories referenced from the README, including tooling for AWS CloudFormation, Docker containers, Ansible, Chef, Puppet, Kubernetes, Bosh, and Salt, so you can pick the automation approach that matches your existing infrastructure rather than installing agents and the manager by hand. The main branch contains the latest code and may include bugs, so production deployments should track a stable release rather than main.

The README also lists the underlying software and libraries the project builds on, such as OpenSSL, cURL, RocksDB, SQLite, and Lua, alongside their versions and licenses, which is useful if you need to audit dependencies as part of your own compliance process.

Frequently asked questions

Share:

Stars
16.1K
Forks
2.4K
Last commit
3 hours ago
Repository age
11 years
Self-hosted
No
Activity score
82/100
View Repository
Built with:

Similar to wazuh

Favicon

 

  
  
Favicon

 

  
  
Favicon