Wazuh is a free, open-source SIEM/XDR platform for security monitoring, threat detection, and incident response. While Suricata watches network traffic, Wazuh monitors what happens on the hosts themselves — file changes, log anomalies, vulnerabilities, and suspicious process activity.

How Does Wazuh Work?

The system consists of two main components:

  1. Wazuh Agent: A small program installed on monitored servers (Linux, Windows, macOS). It collects logs, monitors files, and sends data to the central server.
  2. Wazuh Server (Manager): The central brain that receives data from agents, analyzes it based on thousands of rules, and generates alerts.

The data is then visualized in the Wazuh Dashboard (based on OpenSearch/Kibana), allowing for easy incident review.

Key Features for a Linux Administrator

1. File Integrity Monitoring (FIM)

This is one of the most important features. Wazuh creates checksums (hashes) of critical system files (e.g., /etc/passwd, /bin/ls, Apache/Nginx configs). If a hacker or malicious script changes the file content, Wazuh immediately generates an alert.

“Warning! File /etc/shadow was modified by user www-data!”

2. Vulnerability Detector

The Wazuh agent scans installed packages and compares their versions with CVE (Common Vulnerabilities and Exposures) databases for your distribution (Debian, Ubuntu, RedHat). Thanks to this, you know, for example, that your OpenSSL version has a security hole and requires an update.

3. Log Analysis and Intrusion Detection

Wazuh analyzes system logs (syslog, auth.log, application logs). It can detect, for example:

  • Multiple failed SSH login attempts (Brute Force).
  • Execution of sudo by an unauthorized user.
  • Application errors indicating an SQL Injection attempt.

4. Active Response

Wazuh doesn’t just “watch”; it can also “act.” You can configure it to automatically block the attacker’s IP address in iptables or firewalld for a specified time in response to a specific alert (e.g., a Brute Force attack).

Integration with Suricata

Wazuh and Suricata are a perfect duo. The Wazuh Agent can read the eve.json file generated by Suricata. This allows you to see both network alerts (from Suricata) and system alerts (from the Agent) in one panel (Wazuh Dashboard). This gives a complete picture of your infrastructure’s security.

Installing the Agent (Quick Start)

Installing the full Wazuh server is complex (Docker is often used for this), but installing the Agent on your Linux server is trivial.

  1. Add the Wazuh GPG key and repository.
  2. Install the wazuh-agent package.
  3. Edit /var/ossec/etc/ossec.conf and enter the IP address of your Wazuh server.
  4. Start the service: 
    sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Paired with Suricata for network-level detection, Wazuh provides full-stack security visibility across an infrastructure.