blogs
Wazuh: The Free SIEM and EDR Worth Taking Seriously
Why Wazuh is a serious free alternative to commercial SIEM and EDR platforms, based on running it alongside Splunk in my home lab.
Wazuh: The Free SIEM and EDR Worth Taking Seriously
Not every organization can afford Splunk Enterprise or CrowdStrike Falcon. And for students and small security teams, commercial tools simply aren't accessible. Wazuh is the answer: a fully open-source SIEM and EDR platform that provides enterprise-grade capabilities at no license cost.
I've been running Wazuh alongside Splunk in my home lab, and I've come to appreciate them for different strengths. Here's what you need to know.
What Wazuh Actually Is
Wazuh is more than a SIEM — it's an integrated security platform covering:
- Log analysis and SIEM: Collects, normalizes, and analyzes logs from across your environment
- Intrusion Detection: Both host-based (HIDS) and network-based capabilities
- File Integrity Monitoring (FIM): Detects unauthorized changes to critical files and directories
- Vulnerability Detection: Scans agents for known CVEs
- Security Configuration Assessment (SCA): Checks systems against CIS benchmarks and compliance frameworks
- Incident Response: Remote command execution for active response to threats
- Cloud Security Monitoring: AWS, Azure, GCP integration
All of this in a single platform, completely free and open source (GPLv2).
Architecture
Wazuh has three main components:
Wazuh Agent: Installed on endpoints (Linux, Windows, macOS, containers). Collects log data, monitors file integrity, runs SCA checks, and reports to the manager.
Wazuh Manager: Central server that receives agent data, processes alerts using rulesets, and coordinates active response. Can scale horizontally for large deployments.
Wazuh Indexer and Dashboard: Based on OpenSearch (the open-source Elasticsearch fork). Stores events and provides a web UI for search, dashboards, and management.
Installation
The easiest path is using Wazuh's all-in-one installer:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a
This installs the full stack (manager + indexer + dashboard) on a single node. For production, these would be separated, but for a lab this is fine.
Access the dashboard at https://your-server-ip on port 443 after installation.
Adding Agents
Deploy agents to monitored endpoints via the Wazuh dashboard (Agents > Deploy New Agent) or manually:
Linux agent:
curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0_amd64.deb
WAZUH_MANAGER="your-manager-ip" sudo dpkg -i wazuh-agent.deb
sudo systemctl enable wazuh-agent && sudo systemctl start wazuh-agent
Within minutes, the agent appears in the dashboard and starts sending events.
File Integrity Monitoring
FIM is one of Wazuh's strongest features. Configure monitored directories in the agent's ossec.conf:
<syscheck>
<frequency>300</frequency> <!-- Check every 5 minutes -->
<!-- Monitor these critical directories -->
<directories check_all="yes" report_changes="yes">/etc</directories>
<directories check_all="yes">/usr/bin</directories>
<directories check_all="yes">/usr/sbin</directories>
<directories check_all="yes" report_changes="yes">/var/www/html</directories>
<!-- Ignore these noisy paths -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
</syscheck>
When a monitored file changes, Wazuh generates an alert with the file path, what changed (content, permissions, ownership), the process that made the change, and the user. For /etc/passwd or files in /usr/bin, this is the kind of visibility that catches privilege escalation and persistence techniques.
Security Configuration Assessment
SCA automatically audits your systems against security benchmarks. Out of the box, Wazuh ships with policies for:
- CIS benchmarks for Linux, Windows, macOS
- CIS Docker Benchmark
- AWS CIS Foundations
- PCI DSS
- HIPAA
Each policy runs hundreds of checks and produces a compliance score with specific findings:
[FAIL] 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
[FAIL] 3.1.1 Ensure IP forwarding is disabled
[PASS] 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
[FAIL] 5.3.1 Ensure password creation requirements are configured
For each failing check, Wazuh shows exactly what to fix and why it matters. This is an invaluable tool for system hardening.
Active Response
Wazuh can automatically respond to threats. A common configuration: automatically block IPs that generate too many failed SSH login attempts:
<!-- In ossec.conf on the manager -->
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5763</rules_id> <!-- Rule for brute force detection -->
<timeout>600</timeout> <!-- Block for 10 minutes -->
</active-response>
Rule 5763 fires when Wazuh detects 8 failed SSH authentication attempts within 2 minutes from the same source. Active response then runs iptables -A INPUT -s ATTACKER_IP -j DROP on the agent — automatically blocking the attacker.
This is the SIEM acting as an EDR: not just detecting but responding.
Wazuh vs. Splunk: My Comparison
| Capability | Wazuh | Splunk (Free) |
|---|---|---|
| License cost | Free | Free up to 500MB/day |
| HIDS / FIM | Built-in | Requires add-ons |
| Vulnerability detection | Built-in | Requires add-ons |
| SCA / compliance | Built-in | Requires add-ons |
| Active response | Built-in | Requires scripting |
| Search power | Good | Excellent (SPL is very powerful) |
| Ecosystem / integrations | Growing | Extensive |
| Learning curve | Moderate | Moderate-High |
Wazuh wins on out-of-the-box endpoint security coverage. Splunk wins on search power and ecosystem breadth. In a real SOC, you'd likely use both or combine Wazuh with Elastic SIEM.
For a student or small team with no budget, Wazuh provides more complete security coverage than Splunk's free tier.
Recommended Starting Configuration
- Deploy manager on a dedicated VM (2 CPU, 4GB RAM minimum)
- Add agents to all monitored systems
- Enable FIM on
/etc,/var/www,/usr/bin, and application config directories - Run SCA against CIS Linux benchmark on all Linux hosts
- Enable active response for SSH brute force and malware hash detection
- Set up email alerts for critical and high severity findings
- Build a dashboard showing: new vulnerability findings, SCA score trends, FIM events, authentication failures
Wazuh will tell you things about your systems you didn't know. That's both its value and, initially, its challenge — the alert volume requires tuning. But that tuning process itself is a learning experience about what normal looks like on your systems.
