Wazuh – Open-source security platform

Posted by LorenDB 10/28/2024

Wazuh – Open-source security platform(wazuh.com)

110 points | 59 comments

krunck 10/30/2024|

This is built upon OSSec[1]. While it works ok, with Elastic underneath it's far too much maintenance for my 30 servers.

[1] - https://www.ossec.net/

ArnoVW 10/30/2024||

There is a hosted offering https://wazuh.com/cloud

I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.

The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.

yabones 10/30/2024|||

Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.

bluepuma77 10/30/2024||

It seems their official Docker image is 5 years old.

valyala 11/5/2024||

It would be great to be able to use VictoriaLogs underneath instead of Elasticsearch. This would simplify the configuration and maintenance, since VictoriaLogs works optimally with default configs on any hardware. This will also help reducing hardware costs for large amounts of stored security logs, since VictoriaLogs usually needs up to 30x less RAM and up to 15x less disk space than Elasticsearch for the same amounts of logs. See https://itnext.io/how-do-open-source-solutions-for-logs-work... for details.

stego-tech 10/30/2024||

Kicked the tires on it, but the agent requirement was a no-go for me. Coming from Enterprise Infrastructure, mandating Yet Another Agent is already knocking your product down several grades versus those leveraging OpenTelemetry or standardized collectors and forwarders.

An agentless Nessus scan (man, I miss Nessus) gets you 90% of the way there for all but the most security-conscious organizations, and its agent is honestly kind of light and simple if I have to install it.

waihtis 10/30/2024|

Wazuh does much more than Nessus, for instance you can instruct the agent to temporarily drop networking if you identify a compromised machine. Agentless scans will do nothing of the like.

stego-tech 10/30/2024||

I appreciate the different feature sets, but there's almost always another endpoint agent you can build that behavior onto/through in the modern enterprise. Posture control isn't exactly a unique feature, and my original opinion still stands: between CrowdStrike, Tanium, SentinelOne, Defender, AirWatch, New Relic, and OpenTelemetry, I've seen a web of similar-ish feature sets with agents alone consuming upwards of 10% of the machine's CPU power just in the background.

What's worse, Wazuh doesn't even fully replace any of those above agents, meaning it has to be yet another complimentary agent on the machine. No thanks, when New Relic + OpenTelemetry can feed me all of the machine's logs and monitoring statistics, while a competent ITAM/ITSM can alert on out-of-bounds posture and trigger network or Identity systems to shutdown access. Hell, I'm old enough to remember when basic log forwarding and SNMP traps were all that was needed to effectively monitor machines, before developers and vendors began locking stuff up behind new APIs or services they could monetize better.

Don't get me wrong, I want Wazuh to succeed because nobody should have to shell out thousands of dollars a month for basic security posturing and monitoring; right now though, Wazuh ain't it.

waihtis 10/30/2024||

I agree w everything you said, point was just Wazuh and Nessus arent exactly the same type of tools.

cyberpunk 10/30/2024||

Spoiler alert: agent based. Ran it before, was a maint burden of the first order.

deskr 10/30/2024||

It's not exactly the surprise of the century that running your own services, let alone a security platform, requires maintenance.

What was it specifically that made it a "maint burden of the first order?"

JediPig 10/30/2024||

I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.

I have built from ground up 2 SIEMS.

ArnoVW 10/30/2024|||

I used their docker based installation. Upgraded it a couple of times, takes me 1h each time (mostly because I am more of a PHB and not a devops)

Never had a single issue with indexes, though we only ingest 500k+ events per day for ~endpoints.

Don’t use email but notifications by Slack. Never had it fail in one year.

Honestly, I almost feel bad for the amount of value I’m getting for free. So I’m happy to give back: made an integration that recovers all Google Workdspace events (https://github.com/avanwouwe/wazuh-gworkspace) if anyone’s using Wazuh? I also plan on publishing my Chrome extension integration (behavioral analysis and malware and shadow it detection) in a couple of days!

eppp 10/30/2024|||

I have run it for a while and I have yet to successfully upgrade it a single time. I always just end up rebuilding the server to get a new version.

heraldgeezer 10/30/2024|||

Did you think it was set and forget? There is a reason companies have entire SOC teams only looking at EDR and SIEM.

What SIEM did you move to that was less of a burden?

thesuitonym 10/30/2024|||

I know of no similar package that isn't agent based, at least when it comes to endpoints. I'd be happy to hear an alternative, though.

rafaelalb 10/30/2024|||

Why was it a burden?

ArnoVW 10/30/2024|||

There is an agentless option that just requires ssh access. Not something I’d prefer from a security point of view, but it’s possible.

lfkdev 10/30/2024||

Agent based is not really a big burden, most monitoring systems work like this (Prometheus). Companys use Ansible etc.

alfons_foobar 10/30/2024||

Prometheus is not agent based though

arnejenssen 10/30/2024||

It is mind-blowing that such a good SIEM (Security information and event management) software can be free.

alias_neo 10/30/2024||

I'd like to give you a virtual cookie, for being the only person in the comments so far to spell out what SIEM stands for.

I appreciate you.

EatFlamingDeath 10/30/2024||

Seriously, this is getting out of hand in the cybersecurity space. SAST, DAST, SBOM, WAF, SOAR, TPRM, NGFW, MSSP...

conception 10/30/2024|||

I noticed that in ‘22 there was a solid shift from three letter acronyms to four. Madness.

bikingbismuth 10/31/2024|||

Don’t forget CAASM!

candiddevmike 10/30/2024||

> such a good SIEM

Source? The value a SIEM provides these days is mostly the out of the box integrations and log parses. Wazuh is far from that, IME.

BrandoElFollito 10/30/2024||

My team tested it when we were choosing an EDR and SIEM. The experience was horrendous.

The maintenance is huge, you need to hunt for rulesets, the EDR is half baked, etc.

pphysch 10/30/2024||

What net benefits does a full blown "SIEM" add over a simple log database w/ alerting support?

lousken 10/30/2024||

Building on top of elastic was an easy win. However, SCAs need a lot more love. Some of them are wrong/outdated, while many are missing.

bks 10/30/2024||

So what SIEM do people suggest? AWS shop, EC2, VPC, Lamba, RDS

lionkor 10/30/2024||

> Unified XDR and SIEM protection for endpoints and cloud workloads

Guess IDC ABT this. Jokes aside, read the page, still don't know if I care about this or need it...

amne 10/30/2024|

TIL that SIEM, SCA, XDR (and more?) exist. Now to go and find out what they actually mean (and please don't point out that SIEM is already explained on their page).

Clearly parent could have phrased it more explicitly that he knows nothing about this field. But I also see downvoting him as a form of gatekeeping.

ThinkBeat 10/30/2024|

I am not familiar with the term.

"Universal agent" is some form of antivirus, ransomware software like ESET, or McAffee?

Or does the universal agent listen to "endpoint security, somebody elses antivirus that reports what it finds up the chain?

And the next step is that the data gets to the server, is parsed, stored etc and present on a nice gui?

"Someone proped computer3 with a known exsploit at (somedatetime)" ?

stevenAthompson 10/30/2024||

They're implying that you have a single agent which does the EDR (antivirus) and SIEM (logging) functionality instead of two separate agents. This is becoming more commonplace throughout the security industry as multiple agents can be burdensome from both a security and maintenance perspective.

ThinkBeat 10/30/2024||

Agreed about the security and maintenance perspective perspective.

Does that then mean we can conclude that the agent that comes with this product is a fully fledged endpoint security like ESET/MCaffe etc?

I am wondering about this since a top notch free and open source antivirus and malware program would be super useful and cheap

stevenAthompson 10/30/2024||

I haven't used it, and can't speak to it being "top notch", but they're advertising it as a fully fledged endpoint product that even includes some things like FIM (File integrity Monitoring), which are usually only available as expensive add-ons or additional modules with traditional security products like McAfee.

If it were me, I would compare and contrast it's features and support with commercial offerings and see which one you feel the most comfortable with. There's a lot at stake when it comes to security. It's probably best not to let your decisions be 100% about up-front cost.

lfkdev 10/30/2024||

As far as I know it's just a node exporter, similar to prometheues node-exporter

More comments...