Wazuh
Wazuh adalah platform keamanan open-source yang menyediakan kemampuan:
- SIEM (Security Information and Event Management)
- XDR (Extended Detection & Response)
- Log monitoring & analisis
- File Integrity Monitoring (FIM)
- Vulnerability Detection
- Intrusion Detection (IDS)
- Compliance (PCI DSS, GDPR, HIPAA)
- Security automation & alerting
Wazuh terdiri dari Wazuh Agent, Wazuh Manager, Filebeat, OpenSearch/Elasticsearch, dan Wazuh Dashboard.
Arsitektur Wazuh
Komponen Utama
- Wazuh Agent – Terpasang di endpoint untuk mengumpulkan data, log, dan deteksi ancaman.
- Wazuh Manager – Mesin inti untuk analisis, korelasi, alert, dan rule engine.
- Filebeat – Mengirim log Wazuh ke OpenSearch/Elasticsearch.
- OpenSearch/Elasticsearch – Penyimpanan log skala besar.
- Wazuh Dashboard – GUI untuk monitoring, alerting, dan analisis keamanan.
Arsitektur Sederhana
+-------------+ +----------------+ +-----------------+
| Wazuh Agent | -----> | Wazuh Manager | -----> | OpenSearch/ES |
+-------------+ +----------------+ +-----------------+
| |
| |
+-------------------------+
|
+---------------+
| Wazuh Dashboard |
+---------------+
Setup Wazuh di VM (Manual Install)
Prasyarat
- OS: Ubuntu 20.04/22.04 recommended
- CPU minimal 4 core
- RAM minimal 8–12 GB
- Port yang harus dibuka:
- 1514/tcp → Komunikasi agent–manager
- 1515/tcp → Registration service
- 55000/tcp → Agent enrollment
- 5601/tcp → Dashboard
- 9200/tcp → OpenSearch API
Install Wazuh Manager + Filebeat + OpenSearch + Dashboard
Tambah repository Wazuh
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
Install Wazuh Manager
sudo apt install wazuh-manager
sudo systemctl enable --now wazuh-manager
Install Filebeat
sudo apt install filebeat
sudo systemctl enable --now filebeat
Install OpenSearch
sudo apt install opensearch
sudo systemctl enable --now opensearch
Install Wazuh Dashboard
sudo apt install wazuh-dashboard
sudo systemctl enable --now wazuh-dashboard
Install Wazuh Agent di Linux
curl -s https://packages.wazuh.com/4.x/bash/wazuh-agent.sh | sudo bash
sudo /var/ossec/bin/agent-auth -m <IP-WAZUH-MANAGER>
sudo systemctl enable --now wazuh-agent
Setup Wazuh Menggunakan Docker & Docker Compose
Prasyarat
- Docker Engine terbaru
- Docker Compose v2
- RAM 4–8 GB untuk single-node
File docker-compose.yml
version: "3.9"
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.7.0
hostname: wazuh-manager
ports:
- "1514:1514/udp"
- "1515:1515"
- "55000:55000"
volumes:
- wazuh_data:/var/ossec/data
opensearch:
image: opensearchproject/opensearch:2.11.0
environment:
- discovery.type=single-node
- plugins.security.disabled=true
ports:
- "9200:9200"
- "9600:9600"
dashboard:
image: wazuh/wazuh-dashboard:4.7.0
ports:
- "5601:5601"
environment:
- OPENSEARCH_URL=http://opensearch:9200
volumes:
wazuh_data:
Cara Deploy
docker compose up -d
Dashboard dapat diakses di:
http://<IP>:5601
Perbandingan Wazuh dengan Tools Sejenis
| Feature / Tool | Wazuh | OSSEC | Splunk | QRadar | Elastic SIEM |
|---|---|---|---|---|---|
| Open Source | ✔️ 100% | ✔️ | ❌ Paid | ❌ Paid | ✔️ |
| SIEM capability | ✔️ | ❌ | ✔️ | ✔️ | ✔️ |
| XDR / Endpoint Security | ✔️ | ❌ | ✔️ | ✔️ | ⚠️ plugin |
| Vulnerability Detection | ✔️ | ⚠️ basic | ✔️ | ✔️ | ⚠️ |
| FIM (File Integrity) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| Compliance Templates | ✔️ banyak | ❌ | ✔️ lengkap | ✔️ sangat lengkap | ⚠️ |
| Cloud Integration | ✔️ | ❌ | ✔️ | ✔️ | ✔️ |
| License Cost | Gratis | Gratis | Mahal | Sangat mahal | Gratis/bayar |
Keunggulan Wazuh Dibandingkan Tools Lain
Dibandingkan OSSEC
- Wazuh adalah OSSEC versi modern
- Memiliki dashboard yang lebih kuat
- Menyediakan XDR, compliance, vulnerability scanning
Dibandingkan Splunk / QRadar
- Gratis dan open-source
- Ringan untuk endpoint security
- Mudah deployment (VM & Docker)
Dibandingkan Elastic SIEM
- Agent lebih kuat dalam keamanan endpoint
- Rule-based security lebih fleksibel dan siap pakai
Use Case Wazuh
- Monitoring server produksi
- Threat detection OS & aplikasi
- Compliance (PCI, HIPAA, GDPR)
- Intrusion detection
- File integrity monitoring (FIM)
- Monitoring workstation enterprise
Kesimpulan
Wazuh adalah solusi keamanan lengkap SIEM + XDR yang sepenuhnya open-source, cocok untuk enterprise maupun organisasi kecil. Deployment fleksibel (VM, bare metal, dan Docker), serta memiliki fitur lengkap seperti IDS, FIM, vulnerability detection, dan compliance.