What is Wazuh?

2 July, 2026

Leander Müller-Osten
Leander Müller-Osten
Consultant

Leander hat 2025 seine Ausbildung bei der NETWAYS Professional Services GmbH erfolgreich abgeschlossen und unterstützt jetzt das Consulting-Team. Er setzt das Wissen, das er in der Ausbildung gelernt hat, bei Kunden ein und hilft vor allem im Bereich Observability. Außerdem interessieren ihn die Themen Automatisierung und Containerisierung. In seiner Freizeit trifft er sich am liebsten mit seinen Freunden und geht seinen Hobbys nach. Zurzeit sind das Volleyball, Zocken, Kochen und Bouldern, wobei sich das ständig ändert. Sowohl bei der Arbeit als auch in seiner Freizeit gibt er immer sein Bestes und versucht gut gelaunt zu sein.

by | Jul 2, 2026

Last updated: July 2, 2026 · Reading time: 3–4 minutes

Wazuh is an open-source security platform that combines log management, intrusion detection, vulnerability assessment, and compliance monitoring all in one place. At NETWAYS, we’re getting more and more questions about this, and our customers would like to start by getting an overview of Wazuh and understanding how it fits into the bigger picture. Leander, a consultant on the Professional Services team, therefore provides an initial overview: What is Wazuh all about, how is it structured, and who should consider using it?

Why Wazuh, anyway?

I assume that most people are familiar with the term “log management.” This process collects logs from many different systems in a central location. This is usually done to store logs for the long term. This is helpful when analyzing and correlating the data. But what should be done if a security-focused analysis of these logs is desired?

This is where Wazuh comes in with its SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities: collecting, analyzing, and evaluating security-related data from a wide variety of sources to identify risks. Without a centralized overview of security-related events, it is difficult to detect anomalies early on and meet compliance requirements.

What is Wazuh, at its core?

Wazuh is a log management application and security platform that centrally collects, correlates, and analyzes security data from a wide variety of sources. Wazuh operates at the level of security events—that is, log data, file system changes, process activities, and system configurations.

The platform helps administrators and security teams detect and better understand attack attempts and misconfigurations more quickly. The combination of rule-based detection, integrity-based monitoring, and centralized reporting provides a comprehensive view of the security situation.

In practice, Wazuh is a tool that combines log management, intrusion detection, vulnerability assessment, and compliance monitoring all in one place.​

The Four Main Components

Wazuh consists of four main components. At first glance, this might seem a little overwhelming, but behind these components are familiar applications that many people are probably already familiar with.

  • Wazuh Manager: This is the core component of Wazuh that collects, analyzes, and manages security events. It performs log analysis, manages agents, and stores security information in the Wazuh Indexer. The Wazuh Manager has its roots in OSSEC.
  • Wazuh Indexer: This component is responsible for storing and managing logs received from the Wazuh Manager. This is an OpenSearch solution packaged by Wazuh that offers the usual benefits, such as flexible scaling and fast data retrieval.
  • Wazuh Dashboard: The graphical user interface for interacting with Wazuh. Alarms, dashboards, and reports are displayed here. The dashboard is based on OpenSearch Dashboards.
  • Wazuh Agent: This lightweight software is installed on the endpoints to be monitored. It collects log data, monitors file systems, performs integrity checks, and monitors processes. The agents communicate with the Wazuh Manager to send relevant data and also originate from the OSSEC environment.

Simply put: The agent collects data from the systems, the manager evaluates it, the indexer stores it efficiently, and the dashboard presents it in a way that makes sense to people.

How can you use Wazuh in your area?
We provide support for the setup, configuration, and ongoing operation of Wazuh!
Request consulting →

What data does Wazuh process?

Wazuh aggregates a wide variety of data sources, including:

  • System and application logs: typically from /var/log, the Windows Event Viewer, or application log files.
  • File Integrity Monitoring (FIM): Changes to sensitive system files, configurations, or scripts are logged.
  • Network devices and appliances: They send their events to Wazuh via Syslog, where they are analyzed.
  • Vulnerability Detection: Using vulnerability feeds, Wazuh detects whether systems have known security vulnerabilities.
  • Compliance Monitoring: Audits against standards such as PCI-DSS, ISO 27001, or CIS Benchmarks can be performed automatically.

This broad data foundation provides a comprehensive view of the security landscape—from the application level to the system level—and sets it apart from pure log management.

Why Wazuh Is Getting So Much Attention Right Now

More than ever, companies are looking for centralized security solutions that are affordable, flexible, and comprehensive. The reasons for this are usually compliance, certifications, or security policies. Wazuh aims to meet these requirements by providing predefined rules, dashboards, and compliance checks—all without any licensing costs.

Wazuh aims to make getting started as easy as possible: From simple log collection and intrusion detection to more comprehensive SIEM/XDR scenarios, the platform can be expanded step by step, depending on the current state of your security strategy.

Wazuh is particularly well-suited for organizations,

  • who want a SIEM solution without having to budget for high licensing costs for proprietary products right away.
  • who need a solution that offers a lot “out of the box”—such as predefined rules, dashboards, and compliance checks.
  • who require traceable auditing of systems and events due to guidelines, certifications, and similar requirements.
  • who want to gain a better understanding of security in their surroundings.

How did you like our article?