Skip to main content

Overview

Wazuh is the host-based intrusion detection and security monitoring platform bundled with Xloud Cloud Platform. It provides agentless visibility into what is happening inside each virtual machine — without requiring custom tooling or modifying the guest OS kernel. The Wazuh manager runs as a centralized service; lightweight agents are deployed to each instance and stream security events, file changes, and vulnerability data back for real-time correlation. Xloud ships this platform pre-integrated with XDeploy, so agents can be mass-deployed across projects using the standard automation pipeline.
Xloud-Developed — This capability is developed by Xloud and ships with XAVS. The integrated security platform is surfaced in the Xloud Dashboard as the Security Posture Panel, providing a unified view of agent status, threat alerts, and compliance results across the cluster.
XDeploy GUI — You can enable the integrated security suite (including this platform, Lynis auditing, OpenSCAP compliance, and OS hardening) through the XDeploy Configuration interface. Navigate to the Monitoring & Logging tab and toggle Enable Security Suite. No manual file editing required.
Prerequisites
  • Wazuh Manager deployed (enabled via XDeploy → Security → HIDS)
  • Network reachability from guest VMs to the Wazuh Manager on ports 1514/1515
  • Agent registration token available from the Wazuh Manager dashboard

Architecture

ComponentRole
Wazuh AgentCollects logs, file events, process activity, and vulnerability data from each VM
Wazuh ManagerCorrelates events, applies detection rules, triggers alerts
Wazuh DashboardOpenSearch-based UI for alert triage, compliance reports, and forensic queries
RulesetMITRE ATT&CK-mapped detection rules — over 3,000 out of the box

Capabilities

File Integrity Monitoring

Track every create, modify, and delete on monitored paths. Alert on unauthorized changes to /etc/passwd, SSH keys, cron files, and application configs.

Intrusion Detection

Real-time log analysis against MITRE ATT&CK-mapped rules. Detects brute-force attempts, privilege escalation, rootkits, and lateral movement.

Vulnerability Assessment

Continuous scan of installed packages against CVE databases. Reports vulnerable packages per host with severity scores and remediation guidance.

Compliance Auditing

Built-in checks for PCI-DSS, HIPAA, NIST 800-53, CIS benchmarks, and GDPR. Generates per-host compliance reports with pass/fail details.

Deploy Wazuh Agent

Use the bundled Ansible role to deploy agents across all instances in a project:
Deploy Wazuh agents via xavs-ansible
xavs-ansible deploy --tags wazuh-agent \
  --extra-vars "wazuh_manager_ip=<MANAGER_IP> wazuh_registration_token=<TOKEN>"
The role installs the agent, registers it with the manager, and starts the wazuh-agent service automatically.
Agent appears in the Wazuh Dashboard under Agents within 60 seconds of deployment.

File Integrity Monitoring Configuration

Configure which paths are monitored for changes in /var/ossec/etc/ossec.conf:
/var/ossec/etc/ossec.conf — FIM configuration
<syscheck>
  <frequency>3600</frequency>

  <!-- Critical system files -->
  <directories check_all="yes" realtime="yes">/etc/passwd,/etc/shadow,/etc/group</directories>
  <directories check_all="yes" realtime="yes">/etc/ssh</directories>
  <directories check_all="yes" realtime="yes">/root/.ssh</directories>

  <!-- Application configs -->
  <directories check_all="yes">/etc/nginx</directories>
  <directories check_all="yes">/etc/apache2</directories>

  <!-- Ignore transient paths -->
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
</syscheck>
OptionDescription
realtime="yes"Alert immediately on change (inotify-based), not at next scan cycle
check_all="yes"Monitor permissions, ownership, size, MD5, SHA1, SHA256, and mtime
frequencyScan interval in seconds for non-realtime paths

Vulnerability Assessment

Wazuh continuously scans installed packages against NVD and vendor CVE feeds. Results appear in the Dashboard under Vulnerability Detector.
Trigger an on-demand vulnerability scan
/var/ossec/bin/wazuh-control restart
SeverityCVSS Score RangeAction
Critical9.0–10.0Immediate patching required
High7.0–8.9Patch within 7 days
Medium4.0–6.9Patch within 30 days
Low0.1–3.9Track and remediate at next maintenance window

Compliance Reports

Wazuh ships with built-in compliance checks. Enable a framework in ossec.conf:
Enable PCI-DSS compliance checks
<rootcheck>
  <system_audit>/var/ossec/etc/shared/pci_dss_reqs.txt</system_audit>
</rootcheck>
Available compliance frameworks:
FrameworkFile
PCI-DSS 3.2.1pci_dss_reqs.txt
HIPAAhipaa_reqs.txt
NIST 800-53nist800_53_reqs.txt
GDPRgdpr_reqs.txt
CIS Benchmarkcis_debian_linux_rcl.txt / cis_rhel_linux_rcl.txt
Reports are accessible in the Wazuh Dashboard under Regulatory Compliance.

Alert Integration

Forward Wazuh alerts to external systems:
/var/ossec/etc/ossec.conf — webhook integration
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/YOUR/WEBHOOK/URL</hook_url>
  <level>10</level>
  <alert_format>json</alert_format>
</integration>
Alerts at level 10 and above (high severity) are forwarded automatically.

Next Steps

Lynis Security Auditing

Run automated OS security audits and generate hardening recommendations

OpenSCAP Compliance Scanning

Scan instances against CIS, STIG, and PCI-DSS profiles using SCAP content

Hardening Guide

Apply pre-deployment OS and platform hardening before enabling agents

Compliance and Auditing

Understand audit logging and compliance frameworks supported by Xloud