Ismail HakimNovember 2025

Introduction to Wazuh

In the ever-evolving landscape of cybersecurity, organizations need powerful tools that can detect threats, ensure compliance, and provide real-time visibility into their infrastructure. Wazuh is an open-source security platform that integrates SIEM (Security Information and Event Management), log analysis, intrusion detection, vulnerability detection, and security configuration assessment into a unified solution. It helps businesses of all sizes monitor their systems, detect anomalies, and respond to incidents efficiently — making it a critical component of any modern security operations center (SOC).

Hi, I’m Ismail — Wazuh Ambassador from Indonesia. If you have ideas, feedback, or Wazuh features you’d like to explore together, feel free to comment this blog on this Medium or via LinkedIn post. I’d love to hear from you and collaborate on making the most of Wazuh’s capabilities.

Ismail Hakim (ID) — https://wazuh.com/ambassadors/ismail-hakim/
LinkedIn Post URL — click me

Real-World Use Cases

Wazuh is widely adopted across various industries due to its comprehensive features and adaptability. In the financial sector, Wazuh helps institutions meet regulatory requirements like PCI DSS by monitoring logs, detecting unauthorized access, and maintaining audit trails. In healthcare, it plays a crucial role in protecting sensitive patient data and supporting HIPAA compliance through continuous monitoring and file integrity checking.

For organizations operating in the cloud, Wazuh offers native integration with platforms such as AWS, Azure, and Google Cloud, allowing for seamless monitoring of cloud workloads and infrastructure. In DevSecOps environments, it empowers teams to integrate security into the CI/CD pipeline by detecting misconfigurations and vulnerabilities early in the development cycle. Whether you’re securing an enterprise network, cloud-native application, or hybrid infrastructure, Wazuh provides the visibility and control needed to manage risk effectively.

Wazuh Architecture

Wazuh is built on a modular and scalable architecture designed to support a wide range of deployment scenarios, from small setups to complex enterprise environments. The platform is composed of several core components: the Wazuh Manager, Wazuh Agents, the Wazuh Indexer, and the Wazuh Dashboard. Each component plays a critical role in collecting, processing, storing, and visualizing security data across monitored systems.

The Wazuh Manager serves as the brain of the platform, receiving and analyzing data from the agents. It applies decoding rules, generates alerts, and executes active responses when necessary. Wazuh Agents are lightweight programs installed on endpoints — including servers, workstations, and cloud instances — that collect security event data such as logs, file integrity checks, and configuration assessments.

The Wazuh Indexer, based on OpenSearch, is responsible for storing and indexing event data to enable efficient search and correlation. It ensures that vast volumes of data can be queried quickly, supporting threat detection and forensic analysis. Finally, the Wazuh Dashboard provides an intuitive web interface for managing configurations, visualizing alerts, and gaining insights into the security posture of your environment.

System Requirements

Hardware requirements vary significantly depending on the number of endpoints and cloud workloads being monitored. This directly impacts the volume of data processed and the number of security alerts that need to be stored and indexed.

The quickstart deployment installs the Wazuh server, indexer, and dashboard on a single host—suitable for environments with up to 100 endpoints and 90 days of searchable alert data. The table below outlines the recommended hardware specifications for this type of deployment.

**Table:** Server Specification for Running Wazuh Server

Wazuh Server Quick Start Installation

To get the most out of Wazuh, it is recommended to explore the official Wazuh Documentation.

One of Wazuh’s key advantages is how easy it is to get up and running. Despite its wide range of features, the installation process is straightforward and well-documented. Wazuh has several installation options, but the most simplistic way is by issuing these commands.

curl -sO https://packages.wazuh.com/<4.x>/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

* notes: change placeholder <4.x> to the newest version of Wazuh

Wait until the installation is complete and save the admin username and password as your login credentials to Wazuh Server.

INFO: --- Summary ---
INFO: You can access the web interface https://<IP_ADDRESS>
    User: admin
    Password: <PASSWORD>
INFO: Installation finished.

**Image:** It is expected that browsers will throw a warning, browser still doesn’t trust the certificate of our server. Verify your address and proceed next.

**Image:** Wazuh login page, use Wazuh admin username and password here.

Wazuh Dashboard

The Wazuh Dashboard serves as the central interface for monitoring, analyzing, and responding to security events across your infrastructure. Designed for clarity and efficiency, it offers real-time visibility into agent activity, threat detections, compliance status, and system health. To better understand how this dashboard supports security operations, we’ll explore it in two key segments: the Agents & Alerts Overview, which highlights the current state of your environment and recent incidents, and the Functionality Segment, which dives into Wazuh’s powerful tools for endpoint protection, threat intelligence, cloud monitoring, and compliance management.

**Image:** Agents & alerts overview segment

The Agents Summary panel provides a quick overview of the current status of all connected Wazuh agents. In this example, there are two active agents and none are disconnected, indicating that all monitored endpoints are communicating properly with the Wazuh server. This immediate visibility is crucial for ensuring full coverage and avoiding blind spots in security monitoring.

Next to it, the Last 24 Hours Alerts panel categorizes recent security events based on their severity levels. There are no Critical (rule level 15+) or High (rule level 12–14) severity alerts, suggesting no major threats have been detected in the last day. However, the system has logged 2 Medium severity alerts (rule level 7–11) and 3 Low severity alerts (rule level 0–6), which may include benign or informational events. This segmentation allows analysts to prioritize investigations and respond effectively to threats based on risk levels.

**Image:** Functionality segment of Wazuh Dashboard.

The Functionality segment of the Wazuh Dashboard showcases the platform’s core capabilities, organized into intuitive categories that cover every aspect of modern security operations. From endpoint protection and threat intelligence to cloud workload monitoring and compliance reporting, each module is designed to help security teams detect, investigate, and respond to threats efficiently. This section provides a deeper look into these built-in tools, demonstrating how Wazuh empowers organizations to maintain visibility, enforce policies, and meet regulatory requirements — all from a single, unified interface.

Endpoint Security

Configuration Assessment — scans assets for misconfigurations by auditing them against security policies, making it ideal for hardening and compliance checks.
Malware Detection — identifies indicators of compromise based on behavior patterns or known signatures, allowing early detection of malicious activity.
File Integrity Monitoring — keeps track of critical file changes — including permissions, ownership, and content — alerting security teams to potential tampering or unauthorized modifications.

Threat Intelligence

Threat Hunting — allows analysts to manually investigate security alerts, identify patterns, and detect hidden threats across the environment.
MITRE ATT&CK — maps alert data to adversary tactics and techniques, helping security teams understand attack strategies and improve detection coverage.
Vulnerability Detection — identifies software with known CVEs, offering severity ratings and affected system details to help prioritize remediation.

Security Operations

Compliance-focused dashboards with modules like PCI DSS, GDPR, HIPAA, and NIST 800–53 assist organizations in aligning with global regulatory standards, providing real-time insights and reports that support audits. The TSC module is particularly useful for organizations pursuing SOC 2 certification, covering trust service criteria such as confidentiality, availability, and processing integrity.

Cloud Security

Extensive Cloud Security visibility across modern infrastructure. The Docker module captures events such as container lifecycle operations to detect abnormal behavior in containerized environments. For cloud service providers, AWS and Google Cloud modules collect API-driven logs to monitor IAM activity, policy changes, and resource access. Office 365 integration provides oversight into user activity and configuration changes across collaboration tools, while the GitHub module enables audit log analysis for version control systems — making it a critical piece in securing DevOps pipelines.

Wazuh Agent

The Wazuh Agent is a lightweight and powerful component installed on endpoints — such as servers, workstations, or cloud instances — to collect security-relevant data and forward it to the Wazuh Manager for analysis. It plays a crucial role in monitoring system activity, detecting anomalies, tracking file integrity, and enforcing security policies across diverse environments.
To get started with deploying Wazuh agents, simply navigate to https://<your-wazuh-ip>/app/endpoints-summary#/agents-preview/deploy on your Wazuh Dashboard. You need to change <your-wazuh-ip> with your Wazuh Server IP address or URL. This section provides pre-configured installation commands tailored for different operating systems.

**Image:** After filling out the necessary information, Wazuh will recommend several commands to be included in your Agent installation.

Alerts

Wazuh generates security alerts through the collaboration between its agents and server. When installed on an endpoint, the Wazuh Agent monitors system activities — such as login attempts, file changes, and network behavior — and sends this data to the Wazuh Server. The server then analyzes it using a powerful rules engine to detect suspicious patterns or malicious activity. For example, if an attacker attempts a brute-force attack by making multiple failed login attempts in a short period, Wazuh can detect this behavior and generate a high-severity alert based on predefined rules.

These alerts are automatically forwarded to the Wazuh Dashboard, where they can be investigated in real time. You can access and analyze alerts by navigating to Explore > Discover in the side panel of the dashboard. This interface allows you to search, filter, and visualize alert data based on severity level, rule ID, source IP, or other criteria — enabling security teams to quickly identify threats and take appropriate action.

**Image:** You can access and analyze alerts by navigating to Explore > Discover in the side panel of the dashboard.

Closing

This blog post is dedicated to exploring the fundamentals of Wazuh, including what makes it powerful and how to get it up and running. The deep dive into Wazuh Alerts — where we break down how to interpret, investigate, and act on security events — will be featured in a follow-up post. Stay tuned for more insights and hands-on guidance in the upcoming entries!

Introduction to Wazuh was originally published in Cyberkarta on Medium, where people are continuing the conversation by highlighting and responding to this story.