Welcome to Wazuh¶
Wazuh is a free and open source platform for threat detection, security monitoring, incident response and regulatory compliance. It can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh provides the following capabilities:
Security Analytics
Wazuh is used to collect, aggregate, index and analyze security data, helping organizations detect intrusions, threats and behavioral anomalies.
As cyber threats become more sophisticated, real-time monitoring and security analysis are essential to quickly detect and remediate threats. For this reason, our lightweight agent provides the necessary monitoring and response capabilities, while our server component provides the security intelligence and performs the data analysis.
Intrusion Detection
Wazuh agents scan the monitored systems looking for malware, rootkits and suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
In addition to agent capabilities, the server component uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise.
Log Data Analysis
Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
The Wazuh rules help make you aware of application or system errors, misconfigurations, attempted and/or successful malicious activities, policy violations and a variety of other security and operational issues.
File Integrity Monitoring
Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on. In addition, it natively identifies users and applications used to create or modify files.
File integrity monitoring capabilities can be used in combination with threat intelligence to identify threats or compromised hosts. In addition, several regulatory compliance standards, such as PCI DSS, require it.
Vulnerability Detection
Wazuh agents pull software inventory data and send this information to the server, where it is correlated with continuously updated CVE (Common Vulnerabilities and Exposure) databases, in order to identify well-known vulnerable software.
Automated vulnerability assessment helps you find the weak spots in your critical assets and take corrective action before attackers exploit them to sabotage your business or steal confidential data.
Configuration Assessment
Wazuh monitors system and application configuration settings to ensure they are compliant with your security policies, standards and/or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.
Additionally, configuration checks can be customized, tailoring them to properly align with your organization. Alerts include recommendations for better configuration, references and mapping with regulatory compliance.
Incident Response
Wazuh provides out-of-the-box active responses to perform various countermeasures to address active threats, such as blocking access to a system from the threat source when certain criteria are met.
In addition, Wazuh can be used to remotely run commands or system queries, identifying indicators of compromise (IOCs) and helping perform other live forensics or incident response tasks.
Regulatory Compliance
Wazuh provides some of the necessary security controls to become compliant with industry standards and regulations. These features, combined with its scalability and multi-platform support help organizations meet technical compliance requirements.
Wazuh is widely used by payment processing companies and financial institutions to meet PCI DSS (Payment Card Industry Data Security Standard) requirements. Its web user interface provides reports and dashboards that can help with this and other regulations (e.g. GPG13 or GDPR).
Cloud Security Monitoring
Wazuh helps monitoring cloud infrastructure at an API level, using integration modules that are able to pull security data from well known cloud providers, such as Amazon AWS, Azure or Google Cloud. In addition, Wazuh provides rules to assess the configuration of your cloud environment, easily spotting weaknesses.
In addition, Wazuh light-weight and multi-platform agents are commonly used to monitor cloud environments at the instance level.
Containers Security
Wazuh provides security visibility into your Docker hosts and containers, monitoring their behavior and detecting threats, vulnerabilities and anomalies. The Wazuh agent has native integration with the Docker engine allowing users to monitor images, volumes, network settings, and running containers.
Wazuh continuously collects and analyzes detailed runtime information. For example, alerting for containers running in privileged mode, vulnerable applications, a shell running in a container, changes to persistent volumes or images, and other possible threats.
Security Analytics
Wazuh is used to collect, aggregate, index and analyze security data, helping organizations detect intrusions, threats and behavioral anomalies.
As cyber threats are becoming more sophisticated, real-time monitoring and security analysis are needed for fast threat detection and remediation. That is why our light-weight agent provides the necessary monitoring and response capabilities, while our server component provides the security intelligence and performs data analysis.
Log Data Analysis
Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
Wazuh rules help the user to notice application or system errors, misconfigurations, attempted and/or successful malicious activities, policy violations, and other security and operational issues.
File Integrity Monitoring
Wazuh monitors the file system, identifying changes in content, permissions, ownership and attributes of files that need attention. It also natively identifies users and applications used to create or modify files.
File integrity monitoring capabilities can be used in combination with threat intelligence to identify threats or compromised hosts. In addition, several regulatory compliance standards, such as PCI DSS, require it.
Vulnerability Detection
Wazuh agents pull software inventory data and send this information to the server, where it is correlated with continuously updated CVE (Common Vulnerabilities and Exposure) databases, in order to identify well-known vulnerable software.
Automated vulnerability assessment helps the user to identify the weak spots of their critical assets and take action before being exploited by attackers.
Configuration Assessment
Wazuh monitors system and application configuration settings to ensure they are compliant with your security policies, standards and/or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.
Additionally, configuration checks can be customized, tailoring them to properly align with your organization. Alerts include recommendations for better configuration, references and mapping with regulatory compliance.
Incident Response
Wazuh provides out-of-the-box active responses to perform various countermeasures to address active threats, such as blocking access to a system from the threat source when certain criteria are met.
In addition, Wazuh can be used to remotely run commands or system queries, identifying indicators of compromise (IOCs) and helping perform other live forensics or incident response tasks.
Regulatory Compliance
Wazuh provides some of the necessary security controls to become compliant with industry standards and regulations. These features, combined with its scalability and multi-platform support help organizations meet technical compliance requirements.
Wazuh is widely used by payment processing companies and financial institutions to meet PCI DSS (Payment Card Industry Data Security Standard) requirements. Its web user interface provides reports and dashboards that can help with this and other regulations such as GDPR, NIST 800-53, GPG13, TSC SOC2, and HIPAA.
Intrusion Detection
Wazuh agents scan the monitored systems looking for malware, rootkits and suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
In addition to agent capabilities, the server component uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise.
Cloud Security Monitoring
Wazuh helps monitor cloud infrastructure at an API level, using integration modules that are able to pull security data from well known cloud providers like Amazon AWS, Azure, or Google Cloud. In addition, Wazuh provides rules to assess the configuration of your cloud environment, easily spotting weaknesses.
Furthermore, Wazuh light-weight and multi-platform agents are commonly used to monitor cloud environments at the instance level.
Containers Security
Wazuh provides security visibility into hosts and Docker containers, monitoring their behavior and detecting threats, vulnerabilities, and anomalies. The Wazuh agent has native integration with the Docker engine that allows users to monitor images, volumes, network configurations, and running containers.
Wazuh continuously collects and analyzes detailed runtime information. For example, alerting for containers running in privileged mode, vulnerable applications, a shell running in a container, changes to persistent volumes or images, and other possible threats.
- Getting started
- Installation guide
- Requirements
- Wazuh server
- Wazuh agent
- Packages list
- More installation alternatives
- Upgrade guide
- User manual
- Overview
- Wazuh server administration
- Certificates deployment
- Registering Wazuh agents
- Agent management
- Deploying a Wazuh cluster
- Capabilities
- Log data collection
- File integrity monitoring
- Auditing who-data
- Anomaly and malware detection
- Security Configuration Assessment
- Monitoring security policies
- Monitoring system calls
- Command monitoring
- Active response
- Agentless monitoring
- Anti-flooding mechanism
- Agent labels
- System inventory
- Vulnerability detection
- VirusTotal integration
- Osquery
- Agent key polling
- Fluentd forwarder
- Ruleset
- RESTful API
- Wazuh Kibana plugin
- Reference
- Local configuration (ossec.conf)
- active-response
- agentless
- alerts
- auth
- client
- client_buffer
- cluster
- command
- database_output
- email_alerts
- global
- integration
- labels
- localfile
- logging
- remote
- reports
- rootcheck
- sca
- ruleset
- socket
- syscheck
- syslog_output
- fluent-forward
- gcp-pubsub
- wodle name=”open-scap”
- wodle name=”command”
- wodle name=”cis-cat”
- wodle name=”aws-s3”
- wodle name=”syscollector”
- vulnerability-detector
- wodle name=”osquery”
- wodle name=”docker-listener”
- wodle name=”azure-logs”
- wodle name=”agent-key-polling”
- Verifying configuration
- Centralized configuration (agent.conf)
- Internal configuration
- Daemons
- Tools
- Unattended Installation
- Statistics files
- Local configuration (ossec.conf)
- Elasticsearch tuning
- Uninstalling the Wazuh components
- Development
- Containers
- Deployment
- Compliance
- Monitoring with Wazuh
- Migrating from OSSEC
- Learning Wazuh
- Prepare your Wazuh Lab Environment
- Detect an SSH brute-force attack
- Detect an RDP brute force attack
- Expose hiding processes
- Detect filesystem changes
- Change the rules
- Survive a log flood
- Detect and react to a Shellshock attack
- Keep watch for malicious command execution
- Catch suspicious network traffic
- Track down vulnerable applications
- Release notes
- 4.0.4 Release notes
- 4.0.3 Release notes
- 4.0.2 Release notes
- 4.0.1 Release notes
- 4.0.0 Release notes
- 3.13.2 Release notes
- 3.13.1 Release notes
- 3.13.0 Release notes
- 3.12.3 Release notes
- 3.12.2 Release notes
- 3.12.1 Release notes
- 3.12.0 Release notes
- 3.11.4 Release notes
- 3.11.3 Release notes
- 3.11.2 Release notes
- 3.11.1 Release notes
- 3.11.0 Release notes
- 3.10.2 Release notes
- 3.10.1 Release notes
- 3.10.0 Release notes
- 3.9.5 Release notes
- 3.9.4 Release notes
- 3.9.3 Release notes
- 3.9.2 Release notes
- 3.9.1 Release notes
- 3.9.0 Release notes
- 3.8.2 Release notes
- 3.8.1 Release notes
- 3.8.0 Release notes
- 3.7.2 Release notes
- 3.7.1 Release notes
- 3.7.0 Release notes
- 3.6.1 Release notes
- 3.6.0 Release notes
- 3.5.0 Release notes
- 3.4.0 Release notes
- 3.3.1 Release notes
- 3.3.0 Release notes
- 3.2.4 Release notes
- 3.2.3 Release notes
- 3.2.2 Release notes
- 3.2.1 Release notes
- 3.2.0 Release notes
- 3.1.0 Release notes
- 3.0.0 Release notes
- 2.1 Release notes