blogs

Wazuh: The Free SIEM and EDR Worth Taking Seriously

Why Wazuh is a serious free alternative to commercial SIEM and EDR platforms, based on running it alongside Splunk in my home lab.

Jul 5, 2025
wazuhopen-sourcesiemedr
Wazuh: The Free SIEM and EDR Worth Taking Seriously

Preview

Wazuh: The Free SIEM and EDR Worth Taking Seriously

Not every organization can afford Splunk Enterprise or CrowdStrike Falcon. And for students and small security teams, commercial tools simply aren't accessible. Wazuh is the answer: a fully open-source SIEM and EDR platform that provides enterprise-grade capabilities at no license cost.

I've been running Wazuh alongside Splunk in my home lab, and I've come to appreciate them for different strengths. Here's what you need to know.

What Wazuh Actually Is

Wazuh is more than a SIEM — it's an integrated security platform covering:

  • Log analysis and SIEM: Collects, normalizes, and analyzes logs from across your environment
  • Intrusion Detection: Both host-based (HIDS) and network-based capabilities
  • File Integrity Monitoring (FIM): Detects unauthorized changes to critical files and directories
  • Vulnerability Detection: Scans agents for known CVEs
  • Security Configuration Assessment (SCA): Checks systems against CIS benchmarks and compliance frameworks
  • Incident Response: Remote command execution for active response to threats
  • Cloud Security Monitoring: AWS, Azure, GCP integration

All of this in a single platform, completely free and open source (GPLv2).

Architecture

Wazuh has three main components:

Wazuh Agent: Installed on endpoints (Linux, Windows, macOS, containers). Collects log data, monitors file integrity, runs SCA checks, and reports to the manager.

Wazuh Manager: Central server that receives agent data, processes alerts using rulesets, and coordinates active response. Can scale horizontally for large deployments.

Wazuh Indexer and Dashboard: Based on OpenSearch (the open-source Elasticsearch fork). Stores events and provides a web UI for search, dashboards, and management.

Installation

The easiest path is using Wazuh's all-in-one installer:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a

This installs the full stack (manager + indexer + dashboard) on a single node. For production, these would be separated, but for a lab this is fine.

Access the dashboard at https://your-server-ip on port 443 after installation.

Adding Agents

Deploy agents to monitored endpoints via the Wazuh dashboard (Agents > Deploy New Agent) or manually:

Linux agent:

curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.0_amd64.deb
WAZUH_MANAGER="your-manager-ip" sudo dpkg -i wazuh-agent.deb
sudo systemctl enable wazuh-agent && sudo systemctl start wazuh-agent

Within minutes, the agent appears in the dashboard and starts sending events.

File Integrity Monitoring

FIM is one of Wazuh's strongest features. Configure monitored directories in the agent's ossec.conf:

<syscheck>
  <frequency>300</frequency>  <!-- Check every 5 minutes -->
  
  <!-- Monitor these critical directories -->
  <directories check_all="yes" report_changes="yes">/etc</directories>
  <directories check_all="yes">/usr/bin</directories>
  <directories check_all="yes">/usr/sbin</directories>
  <directories check_all="yes" report_changes="yes">/var/www/html</directories>
  
  <!-- Ignore these noisy paths -->
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
</syscheck>

When a monitored file changes, Wazuh generates an alert with the file path, what changed (content, permissions, ownership), the process that made the change, and the user. For /etc/passwd or files in /usr/bin, this is the kind of visibility that catches privilege escalation and persistence techniques.

Security Configuration Assessment

SCA automatically audits your systems against security benchmarks. Out of the box, Wazuh ships with policies for:

  • CIS benchmarks for Linux, Windows, macOS
  • CIS Docker Benchmark
  • AWS CIS Foundations
  • PCI DSS
  • HIPAA

Each policy runs hundreds of checks and produces a compliance score with specific findings:

[FAIL] 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
[FAIL] 3.1.1 Ensure IP forwarding is disabled  
[PASS] 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
[FAIL] 5.3.1 Ensure password creation requirements are configured

For each failing check, Wazuh shows exactly what to fix and why it matters. This is an invaluable tool for system hardening.

Active Response

Wazuh can automatically respond to threats. A common configuration: automatically block IPs that generate too many failed SSH login attempts:

<!-- In ossec.conf on the manager -->
<active-response>
  <command>firewall-drop</command>
  <location>local</location>
  <rules_id>5763</rules_id>  <!-- Rule for brute force detection -->
  <timeout>600</timeout>     <!-- Block for 10 minutes -->
</active-response>

Rule 5763 fires when Wazuh detects 8 failed SSH authentication attempts within 2 minutes from the same source. Active response then runs iptables -A INPUT -s ATTACKER_IP -j DROP on the agent — automatically blocking the attacker.

This is the SIEM acting as an EDR: not just detecting but responding.

Wazuh vs. Splunk: My Comparison

CapabilityWazuhSplunk (Free)
License costFreeFree up to 500MB/day
HIDS / FIMBuilt-inRequires add-ons
Vulnerability detectionBuilt-inRequires add-ons
SCA / complianceBuilt-inRequires add-ons
Active responseBuilt-inRequires scripting
Search powerGoodExcellent (SPL is very powerful)
Ecosystem / integrationsGrowingExtensive
Learning curveModerateModerate-High

Wazuh wins on out-of-the-box endpoint security coverage. Splunk wins on search power and ecosystem breadth. In a real SOC, you'd likely use both or combine Wazuh with Elastic SIEM.

For a student or small team with no budget, Wazuh provides more complete security coverage than Splunk's free tier.

Recommended Starting Configuration

  1. Deploy manager on a dedicated VM (2 CPU, 4GB RAM minimum)
  2. Add agents to all monitored systems
  3. Enable FIM on /etc, /var/www, /usr/bin, and application config directories
  4. Run SCA against CIS Linux benchmark on all Linux hosts
  5. Enable active response for SSH brute force and malware hash detection
  6. Set up email alerts for critical and high severity findings
  7. Build a dashboard showing: new vulnerability findings, SCA score trends, FIM events, authentication failures

Wazuh will tell you things about your systems you didn't know. That's both its value and, initially, its challenge — the alert volume requires tuning. But that tuning process itself is a learning experience about what normal looks like on your systems.