Components

The Wazuh platform provides XDR and SIEM features to protect your cloud, container, and server workloads. These include log data analysis, intrusion and malware detection, file integrity monitoring, configuration assessment, vulnerability detection, IT hygiene, and support for regulatory compliance.

The Wazuh solution is based on the Wazuh agent, which is deployed on monitored endpoints, and on three central components: the Wazuh manager, the Wazuh indexer, and the Wazuh dashboard.

  • The Wazuh indexer is a highly scalable, full-text search and analytics engine. It serves as the central data store for the Wazuh platform, indexing and storing security alerts, events, vulnerability data, and system inventory generated by Wazuh agents. The Wazuh indexer includes a set of purpose-built plugins that provide access control, reporting, and content management capabilities, including rules, decoders, integrations, key-value databases (KVDBs), and Indicators of Compromise (IoCs). It provides near real-time search and analytics capabilities, enabling security teams to investigate threats, monitor compliance, and gain visibility into their infrastructure.

  • The Wazuh manager transforms raw data received from the monitored endpoints and agentless devices into standardized schema documents using the Wazuh Common Schema (WCS). It decodes and enriches this data with threat intelligence and forwards it to the Wazuh indexer and other defined outputs. A single Wazuh manager can transform data from hundreds or thousands of Wazuh agents, and scale horizontally when set up as a cluster.

  • The Wazuh dashboard provides the user interface for configuring the Wazuh manager and visualizing analyzed security data. It also supports the management of the Wazuh agent configuration, health status, notifications, and alerting integrations. The Wazuh dashboard includes out-of-the-box dashboards for threat hunting, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others.

  • The Wazuh agent is installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. It provides threat prevention, detection, and response capabilities. The Wazuh agent runs on operating systems such as Linux, Windows, and macOS.

In addition to agent-based monitoring capabilities, the Wazuh platform can monitor agentless devices such as firewalls, switches, routers, or network IDS, among others. For example, system logs can be monitored through periodic probing of its data, via SSH or through an API.

The diagram below represents the Wazuh components and data flow.

Wazuh components and data flow