Wazuh
Overview
Wazuh digunakan sebagai platform Security Information and Event Management (SIEM) untuk monitoring keamanan.
Architecture
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Wazuh Agent │────▶│ Wazuh Manager│────▶│ OpenSearch │
│ (per host) │ │ (Processing)│ │ (Storage) │
│ │ │ │ │ │
│ • Log collect│ │ • Rule eval │ │ • Indexing │
│ • FIM │ │ • Correlation│ │ • Dashboard │
│ • Rootcheck │ │ • Alert gen │ │ • Alerting │
└──────────────┘ └──────────────┘ └──────────────┘
Components
Wazuh Manager
wazuh-manager:
image: wazuh/wazuh-manager:4.14.5
container_name: wazuh-manager
ports:
- "1514:1514/tcp"
- "1514:1514/udp"
- "1515:1515"
- "55000:55000"
volumes:
- wazuh-logs:/var/ossec/logs
- wazuh-etc:/var/ossec/etc
- wazuh-queue:/var/ossec/queue
mem_limit: 256m
cpus: "0.25"
healthcheck:
test: ["CMD-SHELL", "pgrep -f wazuh-analysisd > /dev/null && echo OK || exit 1"]
interval: 30s
timeout: 5s
retries: 5
start_period: 60s
Wazuh Agent
# Install Wazuh Agent
sudo WAZUH_MANAGER="10.8.0.48" dnf install -y wazuh-agent
# Configure agent
sudo vi /var/ossec/etc/ossec.conf
# Start agent
sudo systemctl start wazuh-agent
sudo systemctl enable wazuh-agent
Agent Configuration
/var/ossec/etc/ossec.conf
<ossec_config>
<client>
<server>
<address>10.8.0.48</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>centos, centos8</config-profile>
</client>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<syscheck>
<frequency>3600</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
</syscheck>
</ossec_config>
Rules
Default Rules
| Rule ID | Description | Severity |
|---|---|---|
| 1001 | Multiple authentication failures | High |
| 1002 | User login failed | Low |
| 1003 | User login successful | Info |
| 1811 | SSH brute force attack | High |
| 2501 | File integrity change | Medium |
| 2502 | File integrity deletion | High |
Custom Rules
<!-- /var/ossec/etc/rules/local_rules.xml -->
<group name="local,syslog,">
<rule id="100100" level="10">
<if_sid>1002</if_sid>
<field name="srcip">!10.8.0.0/16</field>
<description>Brute force attack from outside network</description>
<group>authentication_failures,pci_dss_10.2.4,</group>
</rule>
<rule id="100101" level="12">
<if_sid>1811</if_sid>
<frequency>5</frequency>
<timepan>60</timespan>
<description>SSH brute force - 5 attempts in 60 seconds</description>
<group>authentication_failures,pci_dss_10.2.4,</group>
</rule>
</group>
Alerting
OpenSearch Alerting
{
"type": "monitor",
"name": "Wazuh High Severity Alert",
"monitor_type": "query_level",
"checks": [
{
"query": {
"size": 0,
"query": {
"bool": {
"filter": [
{ "range": { "rule_level": { "gte": 10 } } },
{ "term": { "alert_status": "active" } }
]
}
}
}
}
],
"triggers": [
{
"severity": 1,
"condition": {
"script": { "source": "ctx.results[0].hits.total.value > 0" }
},
"actions": [
{
"name": "telegram-notification",
"destination_id": "telegram-webhook",
"message_template": {
"source": "High severity Wazuh alert detected: {{ctx.results[0].hits.total.value}} alerts"
}
}
]
}
]
}
Monitoring
Check Agent Status
# On Wazuh Manager
curl -sk -u admin:MyStrong@OpenSearch2026! \
https://localhost:55000/agents \
-H "Authorization: Bearer <token>"
Check Alerts
# Tail alerts
docker exec wazuh-manager tail -f /var/ossec/logs/alerts/alerts.json
# Query OpenSearch
curl -sk -u admin:MyStrong@OpenSearch2026! \
https://localhost:9200/wazuh-alerts-*/_search \
-H 'Content-Type: application/json' \
-d '{
"query": {
"bool": {
"must": [
{ "range": { "rule_level": { "gte": 10 } } }
]
}
},
"size": 10
}'
Next Steps
- OpenSearch - OpenSearch configuration
- Data Pipeline - Pipeline overview
- Security - Security overview