What Is Wazuh: Open Source SIEM for Companies

Wazuh is an open source security platform that combines SIEM, lightweight XDR and compliance management in a single product, with agents deployed on every endpoint and a central console that correlates, alerts and reports. It grew out of OSSEC, is maintained by a company headquartered in San Jose with offices in Madrid, and has become the most used SIEM in the Spanish mid-market and in public administrations that want detection capability without a five-figure annual licence.

This guide explains what Wazuh is, how it is built under the hood, what it actually detects, how it compares with Splunk, Sentinel or Elastic Security, when it fits and when it does not, and how it supports compliance with NIS2, ENS, ISO 27001 and PCI DSS.

What Wazuh is

Wazuh is an open source security monitoring platform, free in its core version, that covers threat detection, file integrity, vulnerability management, configuration assessment and compliance reporting across endpoints and servers. You deploy lightweight agents on each machine (Windows, Linux, macOS, Solaris, AIX, containers), a central server receives the telemetry, correlates and indexes it, and a dashboard on top of OpenSearch presents alerts and metrics.

What it brings operationally:

• Continuous endpoint telemetry: system logs, file integrity, processes, configuration changes, command output.
• Threat detection through rules, decoders, MITRE ATT&CK integration and indicators of compromise.
• Vulnerability management comparing installed software against CVE databases (NVD, vendor feeds).
• Configuration auditing against benchmarks (CIS, PCI DSS, HIPAA).
• Active response capabilities: run commands, block IPs, isolate hosts.
• Compliance reporting mapped to common regulatory frameworks.

The essential difference with a commercial SIEM is not functionality but model: with Wazuh you don't pay licence, you pay operation. If the organisation has a team capable of deploying, tuning and maintaining the platform, the saving is significant. If it does not, contracting a provider to operate Wazuh for the organisation is the usual way to adopt it.

Wazuh architecture

Wazuh is structured in four components that can live on a single machine (all-in-one deployment for PoCs or small environments) or be split across several to scale.

Wazuh Agent

Lightweight software (around 10-20 MB of RAM in operation) installed on every monitored asset. It collects system logs, monitors files (FIM), enumerates installed software, captures security events and sends them encrypted to the manager. It supports most modern operating systems and can be packaged with scripts for mass deployment (Ansible, Group Policy, Intune).

Wazuh Manager (or Wazuh Server)

The brain. Receives events from agents, normalises them with decoders, runs them through rules, generates alerts and triggers active responses if configured. It also manages agents (registration, keys, updates) and correlates events over time windows.

Wazuh Indexer

Storage and search layer based on OpenSearch (Elasticsearch fork). Indexes every alert and every event the manager decides to persist, allows fast full-text searches and supports aggregations for dashboards.

Wazuh Dashboard

Frontend based on OpenSearch Dashboards (Kibana fork). Shows alerts in real time, allows ad-hoc searches, exposes compliance visualisations (NIS2, PCI DSS, HIPAA), manages agents and configures rules.

In medium or large deployments, the usual setup separates manager (active-active cluster), indexer (cluster with shards and replicas) and dashboard, all orchestrated with Kubernetes or with a traditional distributed install.

What Wazuh detects

The core capabilities that deliver value in production:

• File Integrity Monitoring (FIM). Detects changes in sensitive files and directories (/etc/passwd, SSH keys, service configurations, application files). Generates an alert with details of the change (which process, which user, what hash before and after).
• Log analysis. Processes system and application logs (auth, syslog, Windows event log, IIS, Apache, Nginx, databases, firewall, AD, IDS). Decoders normalise formats, rules detect intrusion patterns, brute force, anomalous activity.
• Rootkit and malware detection. Search for known rootkits, suspicious files, hidden processes, kernel hooks.
• Security Configuration Assessment (SCA). Periodic endpoint audit against CIS benchmarks and custom templates: up-to-date patches, strong passwords, unnecessary services, firewall configuration.
• Vulnerability detection. Comparison of the software inventory against CVE feeds (NVD, Microsoft, Red Hat, Ubuntu, Debian, Adobe). Report prioritised by CVSS severity and patching status.
• MITRE ATT&CK mapping. Every relevant rule carries a tag to ATT&CK techniques, which lets you build defensive coverage maps. The piece that connects Wazuh with mature threat hunting.
• Cloud security. Native integrations with AWS (CloudTrail, GuardDuty, S3 access logs), Azure (Activity Logs, Entra ID) and GCP (Audit Logs).
• Container security. Monitoring of Docker, Kubernetes and container registries.
• Active Response. Predefined automatic actions (block IP at the firewall, disable account, run forensic script) when a rule fires.

Coverage is broad, but in depth it does not equal a pure EDR like CrowdStrike Falcon or SentinelOne. Wazuh is very strong in logs, FIM, compliance and vulnerabilities; reasonable but not top-tier in automated endpoint response. More in what is EDR.

Wazuh compared to commercial SIEMs

A practical comparison with the names that show up most often in Spanish RFPs.

Wazuh

• Model: open source, free. Optional paid enterprise support.
• Cost: zero in licences, high in internal operation or via provider.
• Learning curve: medium-high. Configuring custom rules and decoders requires experience.
• Best for: mid-market, public administrations, organisations with an internal technical team or a partner that operates the platform.

Splunk Enterprise Security

• Model: commercial, licence per GB ingested or per workload.
• Cost: high. Often outside mid-market budgets.
• Learning curve: high, SPL is a proprietary language.
• Best for: enterprises with budget, complex cases, heavy customisation.

Microsoft Sentinel

• Model: cloud-native, pay per GB ingested and retained.
• Cost: variable, manageable when the stack is already on Microsoft 365.
• Learning curve: medium. KQL is reasonable for teams with SQL background.
• Best for: organisations with Azure / Microsoft 365 in production.

Elastic Security

• Model: open core, some enterprise features behind licence.
• Cost: low in the free version, climbs with commercial features.
• Learning curve: high if built on top of your own Elastic stack.
• Best for: teams already running Elastic for observability who want to add security.

The choice is rarely decided on pure technical capability. Total cost (licence plus operation), native integrations with the current stack and team experience weigh more.

Typical use cases in European companies

Deployment patterns we see in mid-market and public sector:

• Internal SOC on a tight budget. Wazuh + agents on critical endpoints + integration with firewalls. Custom rules for the organisation's specific logs. Coverage sufficient to detect brute force, basic exfiltration, FIM alerts and basic compliance.
• Support for outsourced SOC. Wazuh as the platform the MSSP operates on. Keeps the data in the client's infrastructure and allows changing provider without losing history.
• NIS2 / ENS compliance. Wazuh deployment to cover continuous monitoring requirements, vulnerability management and incident reporting at a reasonable cost. Pre-configured compliance templates accelerate the audit.
• Hybrid infrastructure. Wazuh monitors on-premise + cloud (AWS, Azure, GCP) in a single console, without having to migrate operations to the hyperscaler's cloud SIEM.
• Detection complementing a commercial EDR. The organisation has EDR (Defender for Endpoint, CrowdStrike) and adds Wazuh for FIM on Linux servers, compliance and aggregation of non-endpoint logs (firewall, switches, applications).

Deployment and sizing

Three common models depending on volume.

All-in-one (PoC and small organisations)

Manager + indexer + dashboard on a single VM. Supports up to a few hundred agents with appropriate sizing. Useful to start, not recommended for critical production.

Traditional distributed

Dedicated manager, indexer in cluster (minimum 3 nodes for high availability), separate dashboard. Supports thousands of agents. The most common pattern in mid-sized organisations.

Multi-cluster with federated manager

Several managers across regions or sites sending alerts to a central indexer. Useful for geographically distributed organisations or with data sovereignty requirements.

For sizing, the key points are: events per second (EPS) generated by the agents, desired retention (compliance usually requires 6-12 months), and number of concurrent agents. Official documentation publishes sizing matrices worth reviewing before a PoC.

Wazuh and compliance

Frameworks where Wazuh delivers direct evidence with preconfigured templates:

• NIS2 (article 21). Threat detection, vulnerability management, file integrity, continuous monitoring. The platform documents technical capability for the article 21 points that translate to operations. More in NIS2 in Spain: a compliance guide for 2026.
• ENS (Spanish Royal Decree 311/2022). Wazuh covers op.exp.7 (incident management), op.exp.8 (activity logging), op.mon (monitoring), op.cont (service continuity) with templates aligned to system categorisation.
• ISO 27001:2022. Controls 8.15 (logging), 8.16 (monitoring activities), 8.7 (protection against malware), 8.8 (technical vulnerability management).
• PCI DSS v4.0. Req. 10 (logging and monitoring), req. 11.5 (FIM on critical components), req. 6.3 (vulnerability management).
• HIPAA, GDPR, GLBA, NIST 800-53. Additional templates by sector.

Important: having Wazuh deployed does not equal being compliant. The audit demands active rules, attended alerts, response runbooks, adequate retention and documented processes. The product is the tool; compliance is the operation.

Common mistakes in deployments

What we see when reviewing existing implementations:

1. All-in-one deployment in critical production. Works until the volume grows and the indexer saturates the disk. Move to distributed as soon as you have more than a few hundred agents.
2. Default rules without tuning. Generates huge noise and analysts stop looking. You have to adjust to the environment: silence the benign, prioritise the critical, write custom decoders for your own applications.
3. No adequate retention. By default, old indexes get deleted fast. Compliance typically needs 6-12 months retention, which requires planning disk capacity from the start.
4. Agents without a mass deployment strategy. Installing by hand on 500 hosts is unworkable. Use GPO, MDM, Ansible, Puppet or Chef from day one.
5. FIM misconfigured. Watching the whole system generates false positives. List critical folders (/etc, /root/.ssh, application configurations) and exclude the ones that legitimately change all the time (/var/log, caches).
6. No integration with the response chain. Alerts stay in the dashboard. Export to ticketing (Jira, ServiceNow), notify the team (Slack, Teams) and, if applicable, correlate in SOAR.
7. High availability forgotten. Manager or indexer on a single machine means losing visibility when it fails. Active-active cluster in serious production.
8. Postponed updates. Wazuh evolves fast and new versions bring rules, decoders and performance improvements. Staying on an old version for a year loses detection.

Frequently asked questions

Is Wazuh really free?

The core version is, with no licence cost and under AGPLv3. Wazuh Inc. offers paid enterprise support (SLA, advisory, training) that many companies contract when going to production. The big invoice is not the tool, it's the team or the partner that operates it.

Does Wazuh cover the functions of a complete EDR?

It covers a good part (endpoint telemetry, FIM, suspicious process detection, active response) but it does not match a top EDR like CrowdStrike Falcon or SentinelOne in depth of telemetry, kernel hooks, local machine learning or granular automated response. Companies that need advanced EDR usually combine Wazuh (logs, compliance, FIM, vulnerability mgmt) with a commercial EDR.

How many agents does Wazuh support?

With appropriate sizing, tens of thousands. Public cases mention deployments with more than 50,000 agents running against distributed clusters. For mid-market (hundreds to a few thousand agents), a modest cluster is enough.

How does Wazuh compare with OSSEC?

Wazuh started as a fork of OSSEC and has surpassed it in almost everything: distributed architecture, OpenSearch integration, modern dashboard, MITRE ATT&CK, vulnerability detection, cloud security. OSSEC is still active but Wazuh is the current mainstream option.

Is Wazuh enough for NIS2 compliance?

It is an important piece, not the only one. It covers detection, monitoring, vulnerability management and reporting. NIS2 also requires organisational measures (governance, training, vendor management, continuity plan) that don't fall under a SIEM's scope. Wazuh delivers the technical evidence for article 21; the rest of compliance is built on top.

Can an MSSP operate Wazuh for my company?

Yes, it's a common model. The client deploys Wazuh on its own infrastructure (keeping data sovereignty) and a managed cybersecurity provider takes 24/7 operation: rule tuning, alert handling, periodic threat hunting, reporting. This is the way to adopt Wazuh without building an internal SOC.

Related resources

• What is SIEM and how it works: the broader category Wazuh sits in, compared with Splunk, Sentinel, QRadar.
• What is a SOC (Security Operations Center): the function that operates Wazuh day to day.
• What is EDR (Endpoint Detection and Response): the adjacent category Wazuh complements on critical endpoints.
• What is threat hunting and how it works: the proactive discipline that leverages Wazuh telemetry.
• What is MDR (Managed Detection and Response): the outsourced service many companies contract that operates precisely on Wazuh.
• What is a CVE: vulnerabilities explained: the identifier system Wazuh uses for vulnerability detection.
• What is MITRE ATT&CK: tactics, techniques: the framework Wazuh rules tag against for coverage mapping.

Wazuh at Secra

At Secra we work with Wazuh on two fronts: as audit (review of existing deployments, validation of rule coverage against real TTPs via purple team, tuning improvement proposals) and as support in projects where the organisation wants to start SIEM capability at a reasonable cost. If your organisation is evaluating Wazuh as an alternative to a commercial SIEM or wants to validate the posture of the Wazuh already in place, get in touch through contact or check our managed cybersecurity services.