🔒SecurityRepoIndex

Wazuh

Open-source XDR and SIEM that does agent-based threat detection, integrity monitoring and compliance across endpoints, containers and cloud

4.3/ 516,075 GitHub starsC++GPL-2.0

⚡ TL;DR

What
Open-source XDR and SIEM that does agent-based threat detection, integrity monitoring and compliance across endpoints, containers and cloud
Who
SOC teams, SMB/Mid-market security teams, Compliance owners, Cloud security engineers
Catch
OpenSearch/Elastic backend is the hard part — resource-hungry and fiddly
Verdict
⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

Splunk and the commercial SIEMs are powerful but expensive, and a lot of small/mid-size teams just need \'collect logs from everything, alert on the bad stuff, and tick the compliance box.\' Wazuh is the open-source answer: a single platform for agent-based detection, FIM, vulnerability detection and regulatory reporting without a six-figure license.

🔧 How It Works

Wazuh agents ship on endpoints (and there are agentless/cloud connectors). They forward data to a manager, which decodes, rules-match and forwards to an OpenSearch/Elasticsearch index. The web UI (or Kibana/Dashboards) visualizes alerts, and the Wazuh ruleset plus MITRE ATT&CK correlation drives detection. Active responses can auto-block on certain alerts. It also does SCA (security configuration assessment) and cloud workload protection.

🚀 Installation & Quick Start

Installation

Docker quick start: docker run --name wazuh.manager -d wazuh/wazuh-manager:4.7.0\n# All-in-one: wazuh-docker/deployment-scripts/docker-setup.sh\n# Production: Install manager + agents on endpoints

Quick Start

  1. Quickstart with Docker: git clone https://github.com/wazuh/wazuh-docker && cd wazuh-docker && docker compose up
  2. Or install the manager: curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh && bash wazuh-install.sh -a
  3. Deploy an agent: download the agent, register it against the manager, systemctl enable --now wazuh-agent
  4. Log into the Wazuh dashboard and open the 'Agents' and 'Security events' views
  5. Enable a compliance module (PCI DSS / CIS) from the SCA dashboard

✅ Pros

  • Genuinely free and open source — no per-GB ingestion surprise
  • Broad coverage: endpoint, FIM, vuln detection, compliance in one agent
  • Strong community and clear upgrade path from OSSEC heritage
  • Good enough for real SOCs on a budget

❌ Cons

  • OpenSearch/Elastic backend is the hard part — resource-hungry and fiddly
  • Default ruleset is noisy; alert tuning is a real, ongoing job
  • The UI is functional but not as polished as commercial SIEMs
  • At very high event volumes you'll hit scaling limits that need architecture work

💬 Practitioner Verdict

"Wazuh is the pragmatic choice when you need SIEM/XDR capability without a procurement cycle. It will not out-detect a tuned Splunk+ES or a pure-play EDR, but for the price (zero) it covers an astonishing amount of ground. Budget for tuning, not licensing."
Emmanuel, Security Reviewer

📊 Specifications

Language
C++
License
GPL-2.0
Platform
Linux, macOS, Windows
Kill Chain
Detection & Response
MITRE ATT&CK
T1078, T1059, T1070

💰 Pricing Reality

Free (GPL-2.0). Wazuh Inc. sells paid support, managed cloud and \'Wazuh as a Service.\' The software is unrestricted; your cost is infrastructure and the analyst time to tune it.

👥 Community Health

Stars16,075
Forks2,374
Contributors216
Health Score8.8/10

🏷️ Tags

SIEMOpen SourceFreeEndpoint Security

🔗 Similar Tools