Every second, thousands of cyber attacks happen worldwide. But how do organizations even know they are under attack?
This is where SIEM comes into the picture — and tools like Wazuh make it practical.
Every organization relies on digital systems to perform daily operations. These systems continuously generate events — such as logins, file access, software installations, and network connections.
Each of these events is recorded as a log, creating a digital footprint of everything happening inside the environment.
Every operating systems such as Windows, Linux/Unix, MacOS, generates logs and stores in a specific location. In Windows, logs can be viewed using the Event Viewer, while in Linux systems, they are typically stored in the /var/log directory.
Reviewing these logs helps us to understand what is going on within the system. If anything suspicious happens we can identify it.
However, reviewing logs from multiple systems manually is time-consuming and inefficient, especially in large enterprise environments.
As the solution os this problem, we introduce SIEM (Security Information & Event Management) Tools. These are the central hub for the log review.
SIEM Architecture
In this model, agents are deployed on endpoints to collect logs and security events. These logs are forwarded to a central manager, where correlation rules analyze the data to detect suspicious patterns or anomalies.
Roles of a SIEM manager:
- Central Evnet-Log Review
- Connect with all SIEM agents
- Visualization of logs and events.
Roles of a SIEM agents:
- Collect logs from system on which the agent is installed.
- Transfer logs from the system to the SIEM manager.
Introduction to Wazuh
Wazuh is an open-source security platform that combines SIEM capabilities with extended detection and response (XDR), providing centralized visibility, threat detection, and compliance monitoring.
We already covered what is SIEM, now let’s understand XDR.
- It is a tool that collects data from multiple assets such as endpoints, networks, servers, cloud workloads, and emails into a single platform,
- For improved, real-time threat detection and automated, rapid response.
- It reduces alert fatigue and enhances visibility across an organization’s entire IT infrastructure.
Wazuh Components & Architecture
There are mainly 4 components of wazuh
- Wazuh manager (Server)
- Wazuh Indexer
- Wazuh Agent
- Wazuh Dashboard
Press enter or click to view image in full size
As you can see, in above image,
Wazuh Agents
- They are installed on endpoint systems, such as laptops, PCs, workstations, server, Cloud server, Domain Controller, etc.
- They can be installed on cross-platforms such as windows and linux.
- They collects logs from the endpoint system and transfers it to the Wazuh manager.
Wazuh Manager
- It is a central component responsible for analysing data collected from Wazuh agents.
- It detects threats, anomalies, and regulatory compliance violations in real time, generating alerts when suspicious activity is identified.
- Beyond detection, the Wazuh server enables centralized management by remotely configuring Wazuh agents and continuously monitoring their operational status.
Wazuh Indexer
- The Wazuh indexer is a highly scalable, full-text search and analytics engine.
- This Wazuh central component indexes and stores alerts generated by the Wazuh server.
- It provides near real-time data search and analytics capabilities.
- The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability.
An index is a collection of related documents. The documents stored in the Wazuh indexer are distributed across different containers known as shards.
Get PriOFF’s stories in your inbox
Join Medium for free to get updates from this writer.
By distributing the documents across multiple shards and distributing those shards across various nodes, the Wazuh indexer can ensure redundancy. This protects your system against hardware failures and increases query capacity as nodes are added to a cluster.
Wazuh Dashboard
- The Wazuh dashboard is a flexible and intuitive web interface for visualizing, analyzing, and managing security data.
- It enables users to investigate events and alerts, oversee the Wazuh platform, and enforce role-based access control (RBAC) and single sign-on (SSO) policies.
- It includes dashboards for threat hunting, malware detection, file integrity monitoring, system inventory, and regulatory compliance (for example, PCI DSS, GDPR, HIPAA, and NIST 800–53).
- You can generate reports and create custom visualizations and dashboards.
Press enter or click to view image in full size
Why Wazuh as First SIEM Tool?
- Wazuh is completely free and open-source, making it ideal for students, researchers, and small organizations.
- It has active and huge community.
- Integration with MITRE ATT&CK framework, good for mapping events with TTPs (Tactics, Techniques and proceduers).
- Used for Endpoint security, Threat Intelligence, Security operations, and cloud security.
- It helps to meet regulatory compliance requirements like PCI DSS, HIPAA, GDPR, etc.
- It provides a single dashboard to monitor endpoints, cloud instances (AWS, Azure, GCP), and containers.
Press enter or click to view image in full size
Conclusion
Understanding SIEM is the first step toward thinking like a defender. Installing and configuring Wazuh is the next step.
Have you ever built your own SIEM lab? If not, Wazuh might be the perfect place to start.
Let me know if you would like a detailed installation and lab setup guide in the next article.
📌 What’s Next?
- Installing Wazuh on Linux
- Deploying agents on Windows & Linux
- Simulating attacks and monitoring alerts
- Creating custom detection rules.