Wazuh
Open-source XDR and SIEM that does agent-based threat detection, integrity monitoring and compliance across endpoints, containers and cloud
⚡ TL;DR
🎯 The Problem It Solves
Splunk and the commercial SIEMs are powerful but expensive, and a lot of small/mid-size teams just need \'collect logs from everything, alert on the bad stuff, and tick the compliance box.\' Wazuh is the open-source answer: a single platform for agent-based detection, FIM, vulnerability detection and regulatory reporting without a six-figure license.
🔧 How It Works
Wazuh agents ship on endpoints (and there are agentless/cloud connectors). They forward data to a manager, which decodes, rules-match and forwards to an OpenSearch/Elasticsearch index. The web UI (or Kibana/Dashboards) visualizes alerts, and the Wazuh ruleset plus MITRE ATT&CK correlation drives detection. Active responses can auto-block on certain alerts. It also does SCA (security configuration assessment) and cloud workload protection.
🚀 Installation & Quick Start
Installation
Docker quick start: docker run --name wazuh.manager -d wazuh/wazuh-manager:4.7.0\n# All-in-one: wazuh-docker/deployment-scripts/docker-setup.sh\n# Production: Install manager + agents on endpointsQuick Start
- Quickstart with Docker: git clone https://github.com/wazuh/wazuh-docker && cd wazuh-docker && docker compose up
- Or install the manager: curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh && bash wazuh-install.sh -a
- Deploy an agent: download the agent, register it against the manager, systemctl enable --now wazuh-agent
- Log into the Wazuh dashboard and open the 'Agents' and 'Security events' views
- Enable a compliance module (PCI DSS / CIS) from the SCA dashboard
✅ Pros
- •Genuinely free and open source — no per-GB ingestion surprise
- •Broad coverage: endpoint, FIM, vuln detection, compliance in one agent
- •Strong community and clear upgrade path from OSSEC heritage
- •Good enough for real SOCs on a budget
❌ Cons
- •OpenSearch/Elastic backend is the hard part — resource-hungry and fiddly
- •Default ruleset is noisy; alert tuning is a real, ongoing job
- •The UI is functional but not as polished as commercial SIEMs
- •At very high event volumes you'll hit scaling limits that need architecture work
💬 Practitioner Verdict
"Wazuh is the pragmatic choice when you need SIEM/XDR capability without a procurement cycle. It will not out-detect a tuned Splunk+ES or a pure-play EDR, but for the price (zero) it covers an astonishing amount of ground. Budget for tuning, not licensing."
📊 Specifications
- Language
- C++
- License
- GPL-2.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Detection & Response
- MITRE ATT&CK
- T1078, T1059, T1070
💰 Pricing Reality
Free (GPL-2.0). Wazuh Inc. sells paid support, managed cloud and \'Wazuh as a Service.\' The software is unrestricted; your cost is infrastructure and the analyst time to tune it.