Wazuh isn’t just a SIEM; it’s a distributed security analytics platform that can tell you why an alert happened, not just that it happened.
Imagine you’ve got a bunch of machines – servers, workstations, maybe even network devices. Each one is spewing out logs. You need to collect them, make sense of them, and spot trouble. Wazuh does this by having three main pieces:
- Wazuh Manager: This is the brain. It receives logs from all your agents, analyzes them against its rules, and triggers alerts.
- Wazuh Agents: These are installed on the machines you want to monitor. They collect logs, check file integrity, detect vulnerabilities, and send all this data back to the manager.
- Wazuh Indexer (formerly Elasticsearch): This is where all the data goes for storage and searching. Wazuh uses it to store logs and alerts, allowing you to query them later.
Let’s get it installed on a single Linux machine for a basic setup. We’ll use Ubuntu 22.04 LTS.
First, update your system:
sudo apt update && sudo apt upgrade -y
Now, we need to add the Wazuh repository. This gives us access to their packages.
curl -s https://packages.wazuh.com/key/wazuh-packages-6.x.key | sudo apt-key add -
echo "deb https://packages.wazuh.com/|$(lsb_release -cs)|main" | sudo tee /etc/apt/sources.list.d/wazuh.list
Note: The lsb_release -cs command dynamically gets your Ubuntu codename (e.g., jammy). This ensures you get the correct repository for your version.
Time to install the full suite: manager, indexer, and dashboard.
sudo apt update
sudo apt install wazuh-indexer wazuh-manager wazuh-dashboard -y
This single command pulls in all three components. The installer will prompt you to configure the indexer. For a single-node setup, just press Enter to accept the defaults. It will also ask you to set a password for the kibana user (which Wazuh uses for its dashboard). Make sure to save this password!
After installation, you need to start and enable the services.
sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer
sudo systemctl enable wazuh-manager
sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-indexer
sudo systemctl start wazuh-manager
sudo systemctl start wazuh-dashboard
These commands ensure the services start automatically on boot and then start them immediately.
The indexer needs a moment to start up properly. You can check its status:
sudo systemctl status wazuh-indexer
Look for active (running).
Now, you can access the Wazuh dashboard. Open your web browser and go to https://<your_server_ip>. You’ll likely see a security warning because the dashboard uses a self-signed certificate. Proceed past the warning. Log in with the username admin and the password you set during the installation for the kibana user.
You’ve got a working Wazuh instance! The manager is configured to listen for agents, the indexer is storing data, and the dashboard is showing you the interface.
What’s surprising is how deeply integrated these components are, especially the indexer and manager. The manager doesn’t just send alerts; it sends raw logs and security events to the indexer, which then makes them searchable. The rules on the manager are what parse and enrich these logs before they’re fully indexed.
Let’s add an agent. On a different Linux machine (or even the same one, though less common for real-world monitoring), install the agent:
curl -s https://packages.wazuh.com/key/wazuh-packages-6.x.key | sudo apt-key add -
echo "deb https://packages.wazuh.com/|$(lsb_release -cs)|main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo apt install wazuh-agent -y
Now, configure the agent to point to your manager. Edit the ossec.conf file:
sudo nano /var/ossec/etc/ossec.conf
Find the <client> section and update the <server-ip> to the IP address of your Wazuh manager.
<client>
<server-ip>192.168.1.100</server-ip> <!-- Replace with your manager's IP -->
<discovery>no</discovery>
</client>
Save and close the file.
Restart the agent service:
sudo systemctl restart wazuh-agent
Back on your Wazuh manager, you should see the agent appear in the dashboard under Agents. If it doesn’t, you might need to check firewall rules (port 514 for syslog, 1514/1515 for agent communication) or ensure the agent is running.
The manager sends a confirmation request to the agent. You’ll see a pending agent. Click Accept on the dashboard to approve it. Once accepted, the agent will start sending logs and security events.
The rules engine is incredibly powerful. Wazuh comes with hundreds of pre-built rules that can detect common threats, policy violations, and system misconfigurations. For example, a rule might trigger if someone tries to log in with invalid credentials too many times. The manager analyzes the raw logs from the agent against these rules.
One thing people often overlook is the local_rules.xml file on the manager (/var/ossec/etc/rules/local_rules.xml). This is where you add your own custom rules without overwriting the default ones. If you want to detect a very specific log pattern unique to your application, you write a rule here. The manager reloads these rules automatically, making it a live tuning environment.
The next step is to explore the different types of active responses Wazuh can perform, like automatically blocking an IP address that’s repeatedly failing logins.