Wazuh Intro

                    It has been almost 2 years since I first installed and started running Wazuh. If you do not know what Wazuh is, it is an open-source SIEM (Security information and event management). It is an excellent tool for getting a view into your systems. Of course, the most significant benefit to using it is getting a list of your systems' vulnerabilities. These can be sorted by their score or severity to make it easier to focus on areas of concern. 
                    


                    One of the other great things about Wazuh is that it integrates with different tools. On my cloud server, I have it integrated with Suricata. Suricata is a multifunction tool, but I use it primarily as an IDS (Intrusion Detection  System). The focus of the tool for myself is to see what scans are being done on my server. This is nice, as I can see what ports are being scanned, what the scan's source IP address is, and how often this scan is being performed.
                    


                    For my setup, I have a Proxmox server on which I have an instance of Ubuntu Server running. This is where Wazuh lives. Actually, the three parts of Wazuh. The first is the wash-indexer; it is basically the heart of the whole system. Per the Wazuh documentation - "The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability."
                    


                    The second part is the wazuh-manager, also called the Wazuh Server. According to the documentation -  "The Wazuh server component analyzes the data received from the agents, triggering alerts when threats or anomalies are detected. It is also used to manage the agent's configuration remotely and monitor their status." The manager basically takes info from the indexer and makes it into something the dashboard can present to the user. It also makes sure that all devices are talking to each other. One of the best features is that you can tell the manager to update the agents on remote machines using the dashboard!! One less thing to have to worry about going around and taking care of through updates. Please know this feature doesn't work on all Linux systems. I have an arch laptop that I have to run the updates on myself. Still, one machine out of five machines that I am monitoring right now isn't that bad.
                    


                    The last part, which I talked about in the previous paragraph, is the wazuh-dashbaord. This, as the name suggests, is what manages the web dashboard that admins and other users interact with. According to the documentation - "The Wazuh dashboard is a flexible and intuitive web user interface for mining, analyzing, and visualizing security events and alerts data. It is also used to manage and monitor the Wazuh platform. Additionally, it provides features for role-based access control (RBAC) and single sign-on (SSO)." The Wazuh team has changed the dashboard design since I started using it. I have to give them a big approval for the work they did. Aiming to really make it an enjoyable user interface with easy menus to navigate. Also, it does a good job of displaying the data in a non-cluttered way, making it very easy to navigate.
                    


                    It has been an enjoyable experience using Wazuh. Specifically, over the past year, I have become more active in monitoring my web server and my home devices. Getting insight into the state of our machines, how updates affect and change that state, and also how frustrating it is when your distribution takes a long time to circulate in updated software. As of the writing of this post, I am waiting for Ubuntu to update their version of OpenSSH to version 10 to cover CVE-2025-32728. 
                    


                    If you have been wondering about setting up your own SIEM or even about giving Wazuh a try, give Wazuh a try. It has been a great experience using this tool and learning to work with it. One of the paths I would like to go down in the cyber security world is the SOC Analyst. A part of that is working with data from an SIEM and executing actions based on that data. Doing this with my own systems has actually been an enjoyable learning experience and has taught me to think about things differently when it comes to how secure my systems are.
                    


                    To give an example and to wrap this post up, let's look at CVE-2025-32728. In versions before OpenSSH 10, X11 can be forwarded even though the DisableForwarding directive says not to. This is a big issue if a person can become authenticated to the system, which is why this is a medium saverity. On my webserver, I have ssh set not to allow root login. I have password login disabled, which forces the connection to authenticate with a key file. Lastly, I have the login set to accept connections only from my IP address. That last point isn't a big deal if my ISP actually changes my public IP address. The Linode interface has a way I can access the machine. So, while I want to make sure my version of OpenSSH gets updated, I am not going to lose sleep over it. 
                    


                    I hope you have enjoyed this read. I have left links down below if you want to look more into anything I mentioned above.
                    


                    Wazuh Homepage
                    

                    Wazuh Github
                    

                    Wazuh Documentation
                    

                    Suricata Homepage
                    

                    Suricata Documentation
                    

                    CVE info on Ubuntu security
                    

                    My webiste, a Searxng site