What is Wazuh?

Wazuh is a free, open-source platform used for security monitoring, threat detection, and incident response. It combines the functions of SIEM (Security Information and Event Management) and XDR (Extended Detection and Response).

Simply put: if Suricata (which we wrote about earlier) is the guard watching the gate (network), then Wazuh is the system of cameras and sensors inside every room (server). It analyzes what is happening on the system itself.

How Does Wazuh Work?

The system consists of two main components:

  1. Wazuh Agent: A small program installed on monitored servers (Linux, Windows, macOS). It collects logs, monitors files, and sends data to the central server.
  2. Wazuh Server (Manager): The central brain that receives data from agents, analyzes it based on thousands of rules, and generates alerts.

The data is then visualized in the Wazuh Dashboard (based on OpenSearch/Kibana), allowing for easy incident review.

Key Features for a Linux Administrator

1. File Integrity Monitoring (FIM)

This is one of the most important features. Wazuh creates checksums (hashes) of critical system files (e.g., /etc/passwd, /bin/ls, Apache/Nginx configs). If a hacker or malicious script changes the file content, Wazuh immediately generates an alert.

“Warning! File /etc/shadow was modified by user www-data!”

2. Vulnerability Detector

The Wazuh agent scans installed packages and compares their versions with CVE (Common Vulnerabilities and Exposures) databases for your distribution (Debian, Ubuntu, RedHat). Thanks to this, you know, for example, that your OpenSSL version has a security hole and requires an update.

3. Log Analysis and Intrusion Detection

Wazuh analyzes system logs (syslog, auth.log, application logs). It can detect, for example:

  • Multiple failed SSH login attempts (Brute Force).
  • Execution of sudo by an unauthorized user.
  • Application errors indicating an SQL Injection attempt.

4. Active Response

Wazuh doesn’t just “watch”; it can also “act.” You can configure it to automatically block the attacker’s IP address in iptables or firewalld for a specified time in response to a specific alert (e.g., a Brute Force attack).

Integration with Suricata

Wazuh and Suricata are a perfect duo. The Wazuh Agent can read the eve.json file generated by Suricata. This allows you to see both network alerts (from Suricata) and system alerts (from the Agent) in one panel (Wazuh Dashboard). This gives a complete picture of your infrastructure’s security.

Installing the Agent (Quick Start)

Installing the full Wazuh server is complex (Docker is often used for this), but installing the Agent on your Linux server is trivial.

  1. Add the Wazuh GPG key and repository.
  2. Install the wazuh-agent package.
  3. Edit /var/ossec/etc/ossec.conf and enter the IP address of your Wazuh server.
  4. Start the service: 
    sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Summary

Wazuh is a powerful tool that brings enterprise-level security to your servers while remaining a completely free solution. Combined with Suricata, it gives you complete insight into what is happening in your infrastructure, allowing you to sleep more soundly.