Wazuh SIEM (Security)
What is Wazuh?
Wazuh is an open-source security platform that monitors your servers and firewalls around the clock. Think of Wazuh as a digital security guard that handles the following tasks:
- Security Alerts: Detects suspicious activities like failed login attempts, unknown processes, or suspicious network connections
- Vulnerability Scanning (CVEs): Checks installed software for known security vulnerabilities and shows which updates are needed
- Compliance Checking (SCA): Compares your system configurations against security standards like CIS Benchmarks and shows where improvements are needed
- File Integrity (FIM): Monitors critical system files for unauthorized changes
DATAZONE Control integrates Wazuh directly into the existing management interface. You don't need to run a separate Wazuh system - everything runs in the same Docker stack.
How It Works
+--------------------+ +----------------------------------------------+
| Your Hosts | | DATAZONE Control Server |
| | | |
| +--------------+ | Port | +---------------+ +--------------------+ |
| | Wazuh Agent |--+--1514-->| | Wazuh Manager |--->| Wazuh Indexer | |
| | (collects | | | | (processes) | | (stores alerts) | |
| | log data) |--+--1515-->| +-------+-------+ +--------+-----------+ |
| +--------------+ | Enroll | | | |
| | | +-------+-------+ +--------+-----------+ |
| +--------------+ | | | DATAZONE | | Wazuh Dashboard | |
| | DATAZONE | | | | Backend | | (detailed view) | |
| | Agent | | | | (shows data | | available at | |
| +--------------+ | | | in frontend) | | /wazuh/ | |
| | | +---------------+ +--------------------+ |
+--------------------+ +----------------------------------------------+Components in Detail
| Component | What it does | Where it runs |
|---|---|---|
| Wazuh Agent | Small software on each host. Collects logs, checks files, scans software. | On each monitored host |
| Wazuh Manager | Receives data from all agents. Evaluates rules, generates alerts. | Docker container on the DATAZONE server |
| Wazuh Indexer | Database for all alerts and events (based on OpenSearch). | Docker container on the DATAZONE server |
| Wazuh Dashboard | Detailed web interface for in-depth analysis. | Docker container, accessible at /wazuh/ |
| DATAZONE Integration | Shows the most important security data directly in DATAZONE Control. | In the existing DATAZONE backend + frontend |
Prerequisites
Before you can use Wazuh, check the following:
- DATAZONE Control is already running (
docker compose up -d) - At least 4 GB additional RAM on the server (Indexer: 2 GB, Manager: 1 GB, Dashboard: 1 GB)
- Ports 1514 and 1515 (TCP) must be reachable from outside (see Port Forwarding)
Server Installation (Step by Step)
Step 1: Generate TLS Certificates
Wazuh components communicate with each other using encryption (TLS). Certificates need to be generated once:
cd /root/datazone-control
chmod +x wazuh/generate-certs.sh
bash wazuh/generate-certs.shWhat happens here?
The script creates its own Certificate Authority (CA) and uses it to create certificates for each component. These are stored in wazuh/certs/. You only need to run this step once during initial installation.
Step 2: Start Wazuh Containers
docker compose up -d wazuh-indexer wazuh-manager wazuh-dashboardFirst Start Takes Longer
The Wazuh Indexer needs about 30-60 seconds for initialization. Wait until docker compose logs wazuh-indexer --tail 5 shows no more error messages before proceeding.
Step 3: Initialize OpenSearch Security
This step loads the user database and permissions into the indexer. It must be executed after the first start and after every restart of the indexer container:
docker exec datazone-wazuh-indexer bash -c '
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh \
-cd /usr/share/wazuh-indexer/opensearch-security/ \
-nhnv \
-cacert /usr/share/wazuh-indexer/certs/root-ca.pem \
-cert /usr/share/wazuh-indexer/certs/admin.pem \
-key /usr/share/wazuh-indexer/certs/admin-key.pem \
-h localhost
'Expected output: Done with success with 10 SUCC messages.
Important
This command must be repeated every time the Wazuh Indexer container is restarted (e.g., after docker compose restart wazuh-indexer or a server reboot). Without this step, nobody can log in to the dashboard.
Step 4: Create Agent Groups
Wazuh organizes agents into groups that determine which logs are collected. These groups must be created once:
docker exec datazone-wazuh-manager /var/ossec/bin/agent_groups -a -g linux -q
docker exec datazone-wazuh-manager /var/ossec/bin/agent_groups -a -g windows -q
docker exec datazone-wazuh-manager /var/ossec/bin/agent_groups -a -g opnsense -q
docker exec datazone-wazuh-manager /var/ossec/bin/agent_groups -a -g sca-level1 -q
docker exec datazone-wazuh-manager /var/ossec/bin/agent_groups -a -g sca-level2 -q| Group | For which hosts | What is monitored |
|---|---|---|
linux | Linux, Proxmox VE, Proxmox Backup Server | auth.log, syslog, dpkg.log, Docker logs |
windows | Windows (Desktop + Server) | Security/System EventLog, Sysmon, PowerShell |
opnsense | OPNsense Firewalls | system.log, filter.log, configuration files |
sca-level1 | All hosts with SCA Level 1 | CIS Level 1 checks (basic security) |
sca-level2 | All hosts with SCA Level 2 | CIS Level 1+2 checks (comprehensive) |
Step 5: Restart Manager
docker compose restart wazuh-managerStep 6: Configure DATAZONE Settings
In the Web UI under Settings > Wazuh SIEM:
| Setting | Recommended Value | Explanation |
|---|---|---|
| Enabled | On | Enables the Wazuh integration |
| API URL | https://wazuh-manager:55000 | Internal Docker address (don't change) |
| API User | wazuh-wui | Default Wazuh API user |
| API Password | D4taz0ne!Wazuh#2024 | As configured in docker-compose.yml |
| Dashboard URL | /wazuh/ | Relative path to Wazuh Dashboard |
| Auto-Match | On | Automatically assigns Wazuh agents to DATAZONE hosts |
| Sync Interval | 300 | Synchronize every 5 minutes |
Click Test Connection to make sure everything works.
Step 7: Restart Backend and Frontend
docker compose up -d --build backend frontendThe Wazuh system is now operational. The next section explains how to install agents on your hosts.
Port Forwarding (Firewall)
The Wazuh agents on your hosts need to reach the Wazuh Manager on the DATAZONE server. For this, two TCP ports must be accessible from outside:
| Port | Function | When needed |
|---|---|---|
| 1514 | Data connection (agent sends logs to manager) | Permanently, while the agent is running |
| 1515 | Enrollment (agent registers for the first time) | Only during initial registration |
When Your Hosts Connect via the Internet
If your monitored hosts are not in the same network as the DATAZONE server (e.g., remote locations), you need to set up port forwarding on your upstream firewall/router:
Example OPNsense:
- Go to Firewall > NAT > Port Forward
- Create a new rule:
- Interface: WAN
- Protocol: TCP
- Destination Port Range: 1514-1515
- Redirect Target IP: IP of the DATAZONE server (e.g., 10.100.0.16)
- Redirect Target Port: 1514
- Description: Wazuh
- Make sure Filter rule association is set to "Pass" (otherwise traffic is redirected but blocked by the firewall)
- Save and apply changes
NAT Reflection
If you test ports from the same network (e.g., your PC connects via the public IP), NAT Reflection must be enabled in OPNsense: Firewall > Settings > Advanced > Reflection for port forwards = Enable.
Port Test
Check with PowerShell whether the ports are reachable:
Test-NetConnection control.datazone.de -Port 1514
Test-NetConnection control.datazone.de -Port 1515Both must show TcpTestSucceeded: True.
Installing Wazuh Agents
The Wazuh Agent is a small software that is installed on each host to be monitored. It collects log data and sends it to the Wazuh Manager.
Recommended: Via DATAZONE Control
The easiest way is to install via DATAZONE Control:
- Open the host in DATAZONE Control
- Go to Scripts
- Select "Wazuh Agent installieren" (Install Wazuh Agent)
- Execute the script
The script automatically detects the manager address from the DATAZONE agent configuration and installs the appropriate Wazuh Agent.
Re-Enrollment
If the agent is already installed but not connected (e.g., because ports weren't open during initial installation), the script automatically detects this and performs a re-enrollment.
Manual: Linux (Debian/Ubuntu)
# 1. Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
gpg --dearmor -o /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
https://packages.wazuh.com/4.x/apt/ stable main" \
> /etc/apt/sources.list.d/wazuh.list
# 2. Install agent (MANAGER_IP = public IP or domain of the DATAZONE server)
apt-get update
WAZUH_MANAGER="control.datazone.de" WAZUH_AGENT_GROUP="linux" \
apt-get install -y wazuh-agent
# 3. If the manager address wasn't set automatically:
sed -i 's/<address>MANAGER_IP<\/address>/<address>control.datazone.de<\/address>/' \
/var/ossec/etc/ossec.conf
# 4. Start agent
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agentManual: Windows
# 1. Download MSI
Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.2-1.msi" `
-OutFile "$env:TEMP\wazuh-agent.msi"
# 2. Install (WAZUH_MANAGER = public IP or domain of the DATAZONE server)
msiexec /i "$env:TEMP\wazuh-agent.msi" /q `
WAZUH_MANAGER="control.datazone.de" `
WAZUH_AGENT_GROUP="windows"
# 3. Start service
Start-Service WazuhSvcManual: OPNsense (FreeBSD)
# 1. Install agent
pkg install wazuh-agent
# 2. Register with manager
/var/ossec/bin/agent-auth -m control.datazone.de -G opnsense
# 3. Set manager address in configuration
sed -i '' 's/<address>MANAGER_IP<\/address>/<address>control.datazone.de<\/address>/' \
/var/ossec/etc/ossec.conf
# 4. Start agent
sysrc wazuh_agent_enable=YES
service wazuh-agent startReplace the address!
In all examples, control.datazone.de must be replaced with the actual public address (domain or IP) of your DATAZONE server.
Verify Installation
After installation, the agent should appear in the Wazuh Dashboard within seconds. Check on the DATAZONE server:
# List all registered agents
docker exec datazone-wazuh-manager /var/ossec/bin/agent_control -lExpected output (example):
ID: 000, Name: wazuh-manager (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: DESKTOP-1CJMBDB, IP: any, ActiveSecurity Dashboard in DATAZONE Control
After successful installation and connection, you'll see security data in two places:
1. Global Security Tab
In the main menu under Security, you'll find an overview of all monitored hosts:
Stat Cards (top):
| Card | Meaning |
|---|---|
| Agents | Number of active/total Wazuh agents (e.g., "42/45 active") |
| Critical | Number of critical security alerts |
| High | Number of high security alerts |
| CVEs | Total number of known vulnerabilities across all hosts |
| Compliance | Average compliance score (0-100%) |
Tabs:
| Tab | What you see |
|---|---|
| Alerts | All security alerts with severity, affected host, description and timestamp. Filterable by severity and time range. |
| Vulnerabilities | List of all known CVEs with affected packages and available updates. |
| Compliance | CIS Benchmark check results per host and policy. |
| Agents | All Wazuh agents with status and assignment to DATAZONE hosts. Manual assignment possible here. |
2. Host Security Tab
In the detail modal of each host (Linux, Windows, OPNsense, PVE, or PBS), there is a Security subtab with:
- Agent Status: Shows whether the Wazuh agent is active on this host
- Stat Cards: Critical/High alerts, CVEs, compliance score, FIM events in the last 24h
- Alerts Tab: Only alerts for this host
- CVEs Tab: Vulnerabilities on this host with package, version, and fix version
- Compliance Tab: CIS Benchmark results with pass/fail per rule
Understanding the Data
Alerts (Security Alerts)
Wazuh detects suspicious activities using over 3,000 predefined rules. Each alert has a severity level:
| Level | Meaning | Examples |
|---|---|---|
| 1-4 | Info | User logged in, service started |
| 5-7 | Low | Failed login, permission change |
| 8-9 | Medium | Multiple failed logins, suspicious process |
| 10-12 | High | Brute force attack detected, rootkit suspected |
| 13-15 | Critical | Successful intrusion, system manipulation |
CVEs (Vulnerabilities)
Wazuh scans installed software for known security vulnerabilities. Each CVE has a CVSS score:
| CVSS | Rating | Action needed |
|---|---|---|
| 0-3.9 | Low | Low priority, update when convenient |
| 4.0-6.9 | Medium | Plan update soon |
| 7.0-8.9 | High | Update as soon as possible |
| 9.0-10.0 | Critical | Update immediately! |
Compliance (SCA)
The Security Configuration Assessment checks your systems against security standards:
- CIS Microsoft Windows 11 Enterprise Benchmark: Checks approximately 400 configuration rules
- CIS Debian/Ubuntu Benchmark: Checks Linux configurations
- CIS FreeBSD Benchmark: Checks OPNsense configurations
The score shows the percentage of passed checks (e.g., 29% = 113 out of 387 rules passed).
Don't panic
A compliance score of 20-40% is normal for standard systems. Many CIS rules are very strict and need to be adapted to your environment. Use the score as a guideline for improvements, not as an absolute measure.
FIM (File Integrity Monitoring)
FIM monitors critical system files for changes. For example, if /etc/passwd or C:\Windows\System32\drivers\etc\hosts changes, an alert is generated. High FIM numbers (e.g., 16,000+) shortly after installation are normal - this is the initial scan capturing the baseline state.
SCA Level Hierarchy
DATAZONE Control supports a 3-tier cascade for assigning the CIS Benchmark level:
Group > Customer > System Default| Tier | Where to configure | Description |
|---|---|---|
| System Default | Settings > Wazuh SIEM > Default SCA Level | Applies to all hosts that have no customer or group override |
| Customer | Edit Customer > Wazuh SCA Level | Overrides the system default for all hosts of this customer |
| Group | Edit Group > Wazuh SCA Level | Overrides customer and system default for hosts in this group |
CIS Benchmark Levels
| Level | Description | Examples |
|---|---|---|
| Level 1 (Basic) | Basic security hardening. Compatible with normal operation. Recommended for workstations and standard servers. | Firewall enabled, password policies, audit logging |
| Level 2 (Extended) | Comprehensive security hardening. May restrict functionality. Recommended for servers in sensitive environments. | Disable print spooler, restrict Remote Desktop, advanced audit rules |
Recommendation
Start with Level 1 for all hosts. Only set Level 2 for servers running in particularly sensitive environments (e.g., databases, domain controllers).
Applying SCA Levels
After changing SCA level settings, they need to be applied to the Wazuh agents:
- Go to Settings > Wazuh SIEM
- Click Apply SCA Levels
- DATAZONE automatically assigns the correct SCA group to all matched agents
Wazuh Dashboard (/wazuh/)
For in-depth analysis, the full Wazuh Dashboard is available at:
https://control.datazone.de/wazuh/Login credentials:
- User:
admin - Password:
D4taz0ne!Wazuh#2025
The dashboard offers far more detailed views than the DATAZONE integration, including:
- MITRE ATT&CK mapping
- Detailed rule information
- Full-text search across all events
- Graphical dashboards and timelines
Auto-Matching (Agent Assignment)
DATAZONE automatically tries to match Wazuh agents to existing hosts:
- IP Address: The Wazuh agent's IP is compared with all DATAZONE host IP addresses
- Hostname: The Wazuh agent's name is compared with hostnames
If automatic matching fails (e.g., with NAT or different hostnames), you can manually assign:
- Go to Security > Agents Tab
- Click Match on an unassigned agent
- Select the corresponding DATAZONE host
Permissions
| Permission | Who needs it | What it allows |
|---|---|---|
wazuh.view | All users who should see security data | View Security Dashboard, view Host Security tab |
wazuh.manage | Administrators | Change agent matching, trigger sync, edit Wazuh settings |
Configuration Files
| File | Description |
|---|---|
wazuh/opensearch.yml | Indexer configuration (TLS, security plugin, compatibility) |
wazuh/opensearch_dashboards.yml | Dashboard configuration (reverse proxy, TLS) |
wazuh/internal_users.yml | Users and passwords for the indexer |
wazuh/generate-certs.sh | TLS certificate generator (one-time) |
wazuh/certs/ | Generated TLS certificates (not in Git!) |
Glossary (Security Terms Explained)
If you're new to security tools, here are the key terms explained:
SIEM (Security Information and Event Management)
A system that collects log data from many sources, analyzes it, and alerts on suspicious activities. Think of it as a central monitoring station that watches all security cameras (=logs) simultaneously. Wazuh is a SIEM.
XDR (Extended Detection and Response)
An extension of SIEM that not only collects logs but can also actively respond to threats (e.g., automatically blocking an IP). Wazuh can do both: SIEM + XDR.
CVE (Common Vulnerabilities and Exposures)
A globally unique identifier for known security vulnerabilities in software. Each CVE has a number (e.g., CVE-2024-12345) and describes exactly which software is affected and how the vulnerability can be exploited. Wazuh checks whether software with known CVEs is installed on your hosts.
CVSS (Common Vulnerability Scoring System)
A scoring system from 0 to 10 that rates the severity of a security vulnerability (CVE). The higher the score, the more dangerous the vulnerability:
- 0-3.9: Low - minor impact
- 4.0-6.9: Medium - noticeable impact
- 7.0-8.9: High - serious impact
- 9.0-10.0: Critical - maximum impact, act immediately
MITRE ATT&CK
A public knowledge base that documents how attackers operate. Each attack technique has a number (e.g., T1110 = Brute Force, T1059 = Scripting). When Wazuh generates an alert, it automatically maps it to a MITRE ATT&CK technique. This way you see not only what happened but also which attack method was used.
Examples:
| Technique | Name | What it means |
|---|---|---|
| T1110 | Brute Force | Someone is trying to guess passwords by trial and error |
| T1059 | Command and Scripting | Suspicious script or command execution |
| T1078 | Valid Accounts | Access with a valid but possibly stolen account |
| T1565 | Data Manipulation | System data has been modified |
SCA (Security Configuration Assessment)
An automatic check whether your systems are securely configured. Wazuh compares hundreds of settings against best-practice recommendations and shows which rules passed and which failed.
CIS Benchmarks (Center for Internet Security)
Globally recognized security guidelines that describe how an operating system should be securely configured. There are benchmarks for Windows, Linux, FreeBSD, and many other systems. Wazuh automatically checks your hosts against these guidelines.
Examples of CIS rules:
- "Password must be at least 14 characters long"
- "Guest access must be disabled"
- "SSH root login must be prohibited"
- "Firewall must be enabled"
FIM (File Integrity Monitoring)
Monitors critical system files for changes. If someone manipulates e.g., /etc/passwd (Linux) or the Windows Registry, FIM generates an alert. This helps detect unauthorized changes or malware.
Enrollment
The process by which a new Wazuh Agent registers with the Wazuh Manager for the first time. During enrollment, the agent and manager exchange keys needed for encrypted communication. Enrollment takes place over port 1515 and only needs to be done once per agent.
Troubleshooting
Agent Doesn't Appear in Dashboard
Symptom: The Wazuh agent is installed and running, but it doesn't show up in the dashboard or agent list.
Solution:
Check ports: Can ports 1514/1515 be reached from outside?
powershellTest-NetConnection control.datazone.de -Port 1514 Test-NetConnection control.datazone.de -Port 1515Both must show
TcpTestSucceeded: True.Agent groups exist? Check if groups have been created:
bashdocker exec datazone-wazuh-manager /var/ossec/bin/agent_groups -lIf not, create them (see Step 4).
Run re-enrollment: Run the install script again via DATAZONE Control. It automatically detects whether re-enrollment is needed.
Check manager logs:
bashdocker exec datazone-wazuh-manager grep -i 'authd\|error' /var/ossec/logs/ossec.log | tail -20
Dashboard Login Doesn't Work
Symptom: "Invalid username or password" when logging in with admin / D4taz0ne!Wazuh#2025.
Solution: Reload security config (must be done after every indexer restart):
docker exec datazone-wazuh-indexer bash -c '
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh \
-cd /usr/share/wazuh-indexer/opensearch-security/ \
-nhnv \
-cacert /usr/share/wazuh-indexer/certs/root-ca.pem \
-cert /usr/share/wazuh-indexer/certs/admin.pem \
-key /usr/share/wazuh-indexer/certs/admin-key.pem \
-h localhost
'Then restart the dashboard container:
docker compose restart wazuh-dashboardIndexer Won't Start
docker compose logs wazuh-indexer --tail 50Common causes:
- SSL error: Certificates not generated ->
bash wazuh/generate-certs.sh - Memory: At least 1 GB for the indexer. Check
OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g"indocker-compose.yml - YAML error: Check
wazuh/opensearch.ymlfor syntax errors
DATAZONE Backend Can't Connect to Wazuh
- Use Settings > Wazuh SIEM > Test Connection
- Check password in DB:bash
docker exec datazone-db psql -U datazone -d datazone_control \ -c "SELECT value FROM settings WHERE key = 'wazuh_api_password';"
Agents Not Automatically Matched
- Is Auto-Match enabled in settings?
- Do the IP address or hostname match between the Wazuh agent and DATAZONE host?
- Trigger sync manually: Settings > Wazuh SIEM > Sync Now
Ports (Reference)
| Port | Protocol | Direction | Description |
|---|---|---|---|
| 1514 | TCP | Agent -> Server | Agent data (logs, events) |
| 1515 | TCP | Agent -> Server | Agent enrollment (initial registration) |
| 55000 | TCP | Internal only | Wazuh REST API (backend -> manager) |
| 9200 | TCP | Internal only | OpenSearch API (manager -> indexer) |
| 443 | TCP | Internal only | Wazuh Dashboard (via Nginx at /wazuh/) |