Getting startedΒΆ

Wazuh is an open source project for security detection, visibility and compliance. It was born as a fork of OSSEC HIDS and was then integrated with Elastic Stack and OpenSCAP, evolving into a more comprehensive solution. Below is a brief description of these tools and what they do:


OSSEC HIDS is a Host based Intrusion Detection System (HIDS) used both for security detection, visibility and compliance monitoring. Its architecture is based on a multi-platform agent that forwards system data (e.g log messages, file hashes, & detected anomalies) to a central manager, where it is further analyzed and processed, resulting in security alerts. Agents convey event data to the central manager via a secure and authenticated channel.

Additionally, OSSEC HIDS functions as a centralized syslog server and agentless configuration monitoring system, providing security insight into the events and changes on agentless devices such as firewalls, switches, routers, access points, network appliances, etc.


OpenSCAP is an OVAL (Open Vulnerability Assessment Language) and XCCDF (Extensible Configuration Checklist Description Format) interpreter used to check system configurations and to detect vulnerable applications.

It is a well recognized tool for checking the compliance and hardening of systems against industry standard security baselines for enterprise environments.

Elastic Stack

Elastic Stack is a suite of tools (Filebeat, Logstash, Elasticsearch, Kibana) used to collect, parse, index, store, search, and present log data. It provides a web frontend useful for gaining a high level dashboard view of events, as well as for performing advanced analytics and data mining deep into your store of event data.

Table of Contents

This document will help you understand Wazuh components and the solution architecture. It will also show you some common use cases.