Wazuh is a free and open source platform for threat prevention, detection, and response, covering on-premises, virtualized, containerized, and cloud-based environments. It's built from two parts: a lightweight endpoint security agent deployed to monitored systems, and a central management server that collects and analyzes what the agents report. It's aimed at security teams that need visibility and compliance reporting across a mixed environment, rather than a single, narrow monitoring tool.
The project has its roots in OSSEC, an earlier open source intrusion detection system started by Daniel Cid, and has grown from that base into a broader security platform covering log analysis, vulnerability detection, configuration assessment, and compliance reporting alongside the original intrusion detection focus.
Wazuh is a good fit for security teams that need one platform covering intrusion detection, log analysis, file integrity monitoring, vulnerability management, and compliance reporting across on-prem, cloud, and containerized systems, especially organizations that need to demonstrate PCI DSS, GDPR, or GPG13 compliance. It's also a reasonable choice if you already use the Elastic Stack, since Wazuh integrates with it for search and visualization, alongside its own Wazuh WUI for managing configuration and monitoring status.
It's more than most individuals or small setups need if you just want basic monitoring of a couple of personal servers. The agent-plus-manager architecture, and the breadth of modules on offer (compliance, cloud, container, vulnerability, file integrity, and more), point toward organizational deployments rather than a single lightweight watchdog process.
The README doesn't include copy-paste install commands. It points to the official installation guide instead:
For automated deployment, the Wazuh team maintains separate orchestration repositories referenced from the README, including tooling for AWS CloudFormation, Docker containers, Ansible, Chef, Puppet, Kubernetes, Bosh, and Salt, so you can pick the automation approach that matches your existing infrastructure rather than installing agents and the manager by hand. The main branch contains the latest code and may include bugs, so production deployments should track a stable release rather than main.
The README also lists the underlying software and libraries the project builds on, such as OpenSSL, cURL, RocksDB, SQLite, and Lua, alongside their versions and licenses, which is useful if you need to audit dependencies as part of your own compliance process.