Wazuh is a open source Host-based Intrusion Detection Systems (HIDS) that unifies XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) into a single, unified solution for protecting endpoints, servers, containers, and cloud workloads.
Originally forked from OSSEC in 2015 and has since evolved into a full-featured platform.
Architecture & Components
Agent-Manager-Indexer
- Agents run on each monitored host (Linux/Windows/MacOS/Cloud Instance/Container), collecting logs, file-integrity events, vulnerability data, and configuration settings.
- A central manager combines and normalises these events, applies detection rules, and coordinates active responses.
- An Indexer (OpenSearch/Elasticsearch) stores and indexes all telemetry, while Kibana (or OpenSearch Dashboards) provides visualisation and querying interfaces.
Features
Real-Time threat detection
HIDS, malware and rootkit detection, log-data analytics, and threat-intelligence integration for correlating alerts across sources.
File integrity monitoring (FIM)
Watches critical files, directories, and registry keys for any unauthorised changes, with eBPF (Extended Berkeley Packet Filter) support for efficient Linux monitoring
Vulnerability & Configuration assessment
Continuous scans OS and application vulnerabilities; checks system configuration against best-practice policies.
Active Response & XDR
Automates containment response actions (e.g., isolating endpoints, blocking IPs) and stitches together multi-stage attack “stories” to guide analysts through patient-zero, lateral movement, and exfiltration events.
Cloud & container security
Native integration for AWS, Azure, Google Cloud Platform (GCP), Microsoft 365, Docker and Kubernetes to monitor workloads and posture, ensuring compliance with standards like PCI DSS, GDPR, HIPAA and NIST CFM
Deployment
Wazuh can be deployed fully on-premises or use the Wazuh Cloud managed service for rapid, scalable provisioning without vender lock-in.
License
GNU GPL v2
Use case
Organisations leverage Wazuh for unified security monitoring, incident response, regulatory compliance reports, and proactive threat hunting. Community continuously contributes new detection rules, integrations, and improvements.