Skip to main content

Overview

Wazuh provides a unified security information and event management (SIEM) platform for Xloud environments. Agents deployed on compute instances forward security events, system logs, and file integrity alerts to a central Wazuh manager. The manager correlates events across all monitored instances, applies detection rules, and generates alerts for security incidents, compliance violations, and vulnerability findings.
Prerequisites
  • Wazuh manager 4.7 or later deployed (standalone or cluster)
  • Network access from all instances to the Wazuh manager on TCP port 1514 (agent enrollment) and TCP port 1515 (agent registration)
  • sudo or root access on instances for agent installation
  • Ansible for automated bulk deployment (recommended for more than 5 instances)

Architecture

Components

ComponentRole
Wazuh AgentInstalled on each monitored instance — collects logs, monitors files, and reports to the manager
Wazuh ManagerReceives agent data, evaluates detection rules, and generates security alerts
Wazuh IndexerOpenSearch-based index for storing and querying security events
Wazuh DashboardWeb UI for alert review, compliance reports, and agent management

Agent Deployment

Manual Installation (Single Instance)

Add Wazuh repository

Add Wazuh GPG key and repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
  gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg \
  --import && chmod 644 /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
  https://packages.wazuh.com/4.x/apt/ stable main" | \
  sudo tee /etc/apt/sources.list.d/wazuh.list

sudo apt-get update

Install the agent

Install Wazuh agent
WAZUH_MANAGER="<wazuh-manager-ip>" \
WAZUH_AGENT_NAME="$(hostname)" \
sudo apt-get install -y wazuh-agent
Replace <wazuh-manager-ip> with the IP address of your Wazuh manager.

Enable and start the agent

Start Wazuh agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Agent registers with the manager. Verify in the Wazuh Dashboard under Agents — the instance appears with status Active.

Bulk Deployment via Ansible

Deploy Wazuh agents to all Xloud instances using the Ansible dynamic inventory:
playbooks/wazuh-deploy.yml
---
- name: Deploy Wazuh agent to all instances
  hosts: all
  become: true
  vars:
    wazuh_manager_ip: "10.0.1.71"
    wazuh_version: "4.7"

  tasks:
    - name: Add Wazuh GPG key (Debian/Ubuntu)
      apt_key:
        url: https://packages.wazuh.com/key/GPG-KEY-WAZUH
        state: present
      when: ansible_os_family == "Debian"

    - name: Add Wazuh repository (Debian/Ubuntu)
      apt_repository:
        repo: >
          deb https://packages.wazuh.com/4.x/apt/ stable main
        state: present
        filename: wazuh
      when: ansible_os_family == "Debian"

    - name: Install Wazuh agent (Debian/Ubuntu)
      apt:
        name: wazuh-agent
        state: present
        update_cache: true
      environment:
        WAZUH_MANAGER: "{{ wazuh_manager_ip }}"
        WAZUH_AGENT_NAME: "{{ inventory_hostname }}"
      when: ansible_os_family == "Debian"

    - name: Enable and start Wazuh agent
      systemd:
        name: wazuh-agent
        enabled: true
        state: started
        daemon_reload: true

    - name: Verify agent is running
      command: systemctl is-active wazuh-agent
      register: agent_status
      changed_when: false

    - name: Confirm agent status
      assert:
        that: agent_status.stdout == "active"
        fail_msg: "Wazuh agent is not running on {{ inventory_hostname }}"
Run the playbook using the Xloud dynamic inventory:
Deploy Wazuh agents to all instances
ansible-playbook -i inventory/openstack.yml playbooks/wazuh-deploy.yml

Log Collection Configuration

Configure the agent to forward specific log files to the Wazuh manager for centralized analysis:
/var/ossec/etc/ossec.conf (log collection section)
<ossec_config>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/error.log</location>
  </localfile>

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/app/*.json</location>
  </localfile>
</ossec_config>

File Integrity Monitoring

Wazuh monitors filesystem paths for unauthorized modifications — files added, deleted, or modified outside of expected change windows trigger alerts:
/var/ossec/etc/ossec.conf (FIM section)
<ossec_config>
  <syscheck>
    <frequency>3600</frequency>
    <alert_new_files>yes</alert_new_files>

    <directories check_all="yes" report_changes="yes" realtime="yes">
      /etc
    </directories>
    <directories check_all="yes" report_changes="yes">
      /usr/bin
      /usr/sbin
      /bin
      /sbin
    </directories>

    <ignore>/etc/mtab</ignore>
    <ignore>/etc/resolv.conf</ignore>
    <ignore type="sregex">.log$|.swp$</ignore>
  </syscheck>
</ossec_config>

Compliance Reporting

Wazuh includes pre-built compliance rule mappings for common frameworks. Enable compliance scanning in the agent configuration:
FrameworkCoverageWazuh Rule Group
CIS Ubuntu 22.04Level 1 and Level 2cis_ubuntu_linux_22-04
PCI DSS 3.2.1Requirements 6, 10, 11pci_dss
HIPAASecurity rule subsethipaa
NIST 800-53Control familiesnist_800_53
View compliance dashboards in the Wazuh Dashboard under Security → Regulatory Compliance.

Verification

Navigate to the Wazuh Dashboard at http://<wazuh-dashboard-host>:5601:
  1. Open Agents — all deployed instances appear with status Active
  2. Open Security Events — incoming events from agents are visible in real time
  3. Open Integrity Monitoring — file change events appear per monitored path
  4. Open Regulatory Compliance — compliance scores per instance
All agents show Active status. Events are flowing from monitored instances.

Troubleshooting

Cause: The agent cannot reach the Wazuh manager on TCP port 1514, or the agent service stopped.Resolution:
Check agent service status
sudo systemctl status wazuh-agent
Test connectivity to manager
nc -zv <wazuh-manager-ip> 1514
Verify that the security group for the instance allows outbound TCP 1514 to the manager.
Cause: Log collection paths do not exist, or the agent configuration has a syntax error.Resolution:
Validate agent configuration
sudo /var/ossec/bin/wazuh-logtest -V
Restart agent after config change
sudo systemctl restart wazuh-agent
Check /var/ossec/logs/ossec.log on the instance for parsing errors.
Cause: Package manager repository not reachable from instance (outbound internet blocked), or wrong OS family detected.Resolution: Ensure instances have outbound HTTP/HTTPS access to packages.wazuh.com, or host the Wazuh packages internally and update the repository URL in the playbook. Use --limit to re-run the playbook on failed hosts only.

Next Steps

Ansible Integration

Automate Wazuh agent deployment and configuration updates using Ansible playbooks

Prometheus Integration

Complement Wazuh security events with infrastructure metrics from Prometheus

Grafana Dashboards

Build unified security and operations dashboards combining Wazuh and Prometheus data

Key Manager

Store Wazuh registration keys securely in Xloud Key Manager