Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Wazuh is the host-based intrusion detection and security monitoring platform bundled with Xloud Platform. It provides host-level visibility into what is happening inside each of your virtual machines through a lightweight agent. The Wazuh manager runs as a centralized service. Agents deploy to each instance and stream security events, file changes, and vulnerability data back for real-time correlation. Xloud ships this platform pre-integrated with XDeploy, so you can mass-deploy agents across projects using the standard automation pipeline.
Xloud-Developed — This capability is developed by Xloud and ships with XAVS. The integrated security platform is surfaced in the Xloud Dashboard as the Security Posture page in Monitor Center, providing a unified view of agent status, threat alerts, and compliance results across the cluster. See Xloud SIEM for the full overview.
XDeploy GUI — Enable Wazuh (with Lynis auditing, OpenSCAP compliance, and OS hardening) through the XDeploy Configuration interface under XDeploy → Security → HIDS. No manual file editing required.
Prerequisites
  • Wazuh Manager deployed (enabled via XDeploy → Security → HIDS)
  • Network reachability from guest VMs to the Wazuh Manager on ports 1514/1515
  • Agent registration token available from the Wazuh Manager dashboard

Architecture

ComponentRole
Wazuh AgentCollects logs, file events, process activity, and vulnerability data from each VM
Wazuh ManagerCorrelates events, applies detection rules, triggers alerts
Wazuh DashboardOpenSearch-based UI for alert triage, compliance reports, and forensic queries
RulesetMITRE ATT&CK-mapped detection rules — over 3,000 out of the box

Capabilities

File Integrity Monitoring

Track every create, modify, and delete on monitored paths. Alert on unauthorized changes to /etc/passwd, SSH keys, cron files, and application configs.

Intrusion Detection

Real-time log analysis against MITRE ATT&CK-mapped rules. Detects brute-force attempts, privilege escalation, rootkits, and lateral movement.

Vulnerability Assessment

Continuous scan of installed packages against CVE databases. Reports vulnerable packages per host with severity scores and remediation guidance.

Compliance Auditing

Built-in checks for PCI-DSS, HIPAA, NIST 800-53, CIS benchmarks, and GDPR. Generates per-host compliance reports with pass/fail details.

Deploy Wazuh Agent

Use the bundled Ansible role to deploy agents across all instances in a project:
Deploy Wazuh agents via xavs-ansible
xavs-ansible deploy --tags wazuh-agent \
  --extra-vars "wazuh_manager_ip=<MANAGER_IP> wazuh_registration_token=<TOKEN>"
The role installs the agent, registers it with the manager, and starts the wazuh-agent service automatically.
Agent appears in the Wazuh Dashboard under Agents within 60 seconds of deployment.

File Integrity Monitoring Configuration

Configure which paths are monitored for changes in /var/ossec/etc/ossec.conf:
/var/ossec/etc/ossec.conf — FIM configuration
<syscheck>
  <frequency>3600</frequency>

  <!-- Critical system files -->
  <directories check_all="yes" realtime="yes">/etc/passwd,/etc/shadow,/etc/group</directories>
  <directories check_all="yes" realtime="yes">/etc/ssh</directories>
  <directories check_all="yes" realtime="yes">/root/.ssh</directories>

  <!-- Application configs -->
  <directories check_all="yes">/etc/nginx</directories>
  <directories check_all="yes">/etc/apache2</directories>

  <!-- Ignore transient paths -->
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
</syscheck>
OptionDescription
realtime="yes"Alert immediately on change (inotify-based), not at next scan cycle
check_all="yes"Monitor permissions, ownership, size, MD5, SHA1, SHA256, and mtime
frequencyScan interval in seconds for non-realtime paths

Vulnerability Assessment

Wazuh continuously scans installed packages against NVD and vendor CVE feeds. Results appear in the Dashboard under Vulnerability Detector.
Trigger an on-demand vulnerability scan
/var/ossec/bin/wazuh-control restart
SeverityCVSS Score RangeAction
Critical9.0–10.0Immediate patching required
High7.0–8.9Patch within 7 days
Medium4.0–6.9Patch within 30 days
Low0.1–3.9Track and remediate at next maintenance window

Compliance Reports

Wazuh ships with built-in compliance checks. Enable a framework in ossec.conf:
Enable PCI-DSS compliance checks
<rootcheck>
  <system_audit>/var/ossec/etc/shared/pci_dss_reqs.txt</system_audit>
</rootcheck>
Available compliance frameworks:
FrameworkFile
PCI-DSS 3.2.1pci_dss_reqs.txt
HIPAAhipaa_reqs.txt
NIST 800-53nist800_53_reqs.txt
GDPRgdpr_reqs.txt
CIS Benchmarkcis_debian_linux_rcl.txt / cis_rhel_linux_rcl.txt
Reports are accessible in the Wazuh Dashboard under Regulatory Compliance.

Alert Integration

Forward Wazuh alerts to external systems:
/var/ossec/etc/ossec.conf — webhook integration
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/YOUR/WEBHOOK/URL</hook_url>
  <level>10</level>
  <alert_format>json</alert_format>
</integration>
Alerts at level 10 and above (high severity) are forwarded automatically.

Next Steps

Xloud SIEM Overview

Back to the unified Xloud SIEM hub — Security Posture and Alerts dashboards

Lynis Security Auditing

Run automated OS security audits and generate hardening recommendations

OpenSCAP Compliance Scanning

Scan instances against CIS, STIG, and PCI-DSS profiles using SCAP content

Compliance and Auditing

Understand audit logging and compliance frameworks supported by Xloud