Wazuh is an open-source security platform for threat prevention, detection, and response that can protect workloads across on-premises, virtualized, containerized, and cloud-based environments.
It consists of an endpoint security agent deployed to the monitoring systems and a management server which collects and analyzes data gathered by those agents. It is fully integrated with Elastic Stack, providing a search engine and data visualization tool.
The Wazuh agents scan the monitored systems to look for malware, rootkits, and suspicious abnormalities. The server component uses a signature-based approach to intrusion detection and uses its regular expression engine to analyze collected log data.
Wazuh agents read operating systems and application logs and forward them to a central manager for rule-based analysis and storage. The server can also receive data through the syslog from network devices or applications when no agent is deployed.
The project monitors the file system, identifies changes in content, permissions, ownership, and attributes of files that one needs to see. It also natively identifies users and applications used to create or modify files.
Wazuh agents software inventory data and send this information to the server, where it is correlated with continuously updated CVE databases, and it makes sure that configurations are compliant with one’s security policies.
Additional details on the project are available here.