Wazuh is a SIEM platform with various applications in today's environment. Compliance checks have helped with regulatory requirements. I pulled in PCI DSS to check for file integrity monitoring. I completed one project where I removed malware.
Wazuh All-In-One Deployment
Wazuh Inc.External reviews
External reviews are not included in the AWS star rating for the product.
Open source flexibility supports cost reduction and efficiency
What is our primary use case?
What is most valuable?
The valuable features of Wazuh include being open source and having the capacity to be used for anything desired. It allows for creating new automations, whereas other Software as a Service platforms have their own business models. With this open source tool, organizations can establish their own customized setup.
What needs improvement?
That would require me to discuss with the Wazuh team regarding areas that could be improved, as I have numerous ideas. From a developer's perspective, this is a Linux system with an active community and dense documentation. There are many people sharing different projects of similar tasks, which is beneficial.
In the proof of concept documentation, it's a mixture of Windows, whereas they also catered to Ubuntu. I'm referring to apt and yum languages for downloading the server indexer. I downloaded in apt, but their first proof of concept is in yum, so I must change languages. This is something I do not prefer because I prefer a more uniform language. When running in production, I'm on a time crunch as time is money.
Wazuh could improve by creating videos on YouTube covering installation, use cases, and integration of third-party APIs for different scenarios that other SAAS services provide. While Wazuh provides these features, one must read their documentation thoroughly to customize it. This is a great feature, but initially, I don't have time to scan multiple items. They could make it more uniform and developer-friendly. As a software engineer, it takes considerable time, but as a businessman, I need to complete tasks quickly and need that flexibility.
What was my experience with deployment of the solution?
What do I think about the stability of the solution?
Wazuh requires substantial maintenance. The indexer frequently times out, requiring system restarts. When it comes to errors, debugging takes considerable time.
How are customer service and support?
I spoke with Wazuh support today regarding a quote. I would rate Wazuh support an 8 out of 10. They responded quickly, which was crucial as I was on a time constraint.
How would you rate customer service and support?
Positive
How was the initial setup?
What was our ROI?
Due to confidentiality, I cannot share specific quantifiable benefits that deploying Wazuh has brought to my company. However, it resulted in cost reduction by avoiding lump sum payments and providing the benefit of having our own system.
What's my experience with pricing, setup cost, and licensing?
Wazuh is free to use, but there are licensing fees for third parties. Their consultancy fee and support fees are relatively high. On a scale of 1 to 10, I would rate their consultancy and support fees a 5.
Which other solutions did I evaluate?
What other advice do I have?
I would be willing to provide a review for products I have experience with. I recommend Wazuh to everyone and believe more platforms, not just SIEM and XDR capability platforms, should be open source, allowing people to leverage these tools for the greater good. I support it completely. Overall, I rate Wazuh 8 out of 10.
Innovative platform enables proactive threat hunting and endpoint monitoring
What is our primary use case?
I use Wazuh for daily security operations mainly on EDR endpoints by installing it on the agents that we are monitoring to collect security data. It helps us monitor endpoints and know what is going on at each endpoint, and we are able to tap the data and use it in other platforms such as SOAR.
I find the threat hunting features of Wazuh most valuable, as we are more interested in the threat hunting side and want to move ahead into threat hunting before any threat becomes something that cannot be dealt with. Wazuh has a threat hunting functionality that we use extensively.
The intrusion detection capabilities work effectively in my environment, as we also have firewalls, and we rely more on the firewall side for intrusion detection.
What is most valuable?
The threat hunting features of Wazuh are particularly valuable for our operations. We focus heavily on threat hunting capabilities to address potential threats before they become unmanageable.
The intrusion detection capabilities integrate seamlessly with our existing firewall infrastructure. The system allows us to monitor endpoints effectively and collect security data that can be utilized across other platforms such as SOAR.
What needs improvement?
I think Wazuh should improve by introducing AI functionalities, as it would be beneficial to see AI incorporated in the threat hunting and detection functionalities. I hope this will be part of the new versions.
Regarding challenges with Wazuh, I cannot pinpoint specific difficulties. When I face a challenge, I prefer not to spend too much time on it and may move to another solution that will give us the results. Sometimes what seems a challenge is just an implementation issue, and while the documentation is comprehensive, it can become overwhelming when quick information is needed for implementation.
For how long have I used the solution?
I have been using Wazuh for about a year now.
What was my experience with deployment of the solution?
Wazuh is easy to set up, as it's clearly defined in their documentation, with various options such as bare metal or Docker implementations. The level of documentation is superior compared to other open source products.
Sometimes issues arise with some of these tools, but because they are open source, there are limitations to what can be expected.
What do I think about the stability of the solution?
I would rate the stability of Wazuh a nine out of ten.
What do I think about the scalability of the solution?
Currently, I don't see any limitations in terms of scalability as Wazuh can still connect many endpoints. I haven't encountered issues with the engine struggling, and it's simply a matter of having enough memory to handle open search memory issues. I think they've done exceptionally in terms of scalability.
I rate the scalability of Wazuh an eight out of ten, as I haven't reached the point of struggling with it.
How was the initial setup?
I would rate the setup of Wazuh a nine out of ten.
What was our ROI?
I have seen value in security cost savings with Wazuh, as using proprietary EDR versions could save us substantial money, but I haven't made any comparisons since we started using Wazuh immediately.
What's my experience with pricing, setup cost, and licensing?
Wazuh is completely free of charge.
What other advice do I have?
I have not seen Wazuh moving in the direction of AI-driven threat detection projects myself, but since the market is moving that way, I wouldn't be surprised if they implemented it soon.
My plans to increase the usage of Wazuh or switch to another tool depend on what my boss decides.
We don't refer to any community support specifically, as we rely on other platforms such as GitHub or Discord, depending on the application.
I recommend that as more companies come on board with Wazuh, it will motivate those who contribute to it, but I am also cautious that as it gains attention, a large company might buy it and change its course of business.
Overall, I rate Wazuh a nine out of ten.
Which deployment model are you using for this solution?
Open source customization and CVE reporting enhance threat detection
What is our primary use case?
We use Wazuh as a SIEM solution because it is open source, highly customizable, and continually expanding. Our clients can request various solutions for their issues, which Wazuh is able to address.
What is most valuable?
One of the most valuable features of Wazuh is its capability as a CVE helper. It assists in pulling reports about active CVEs in the system. Wazuh is a SIEM tool that is highly customizable and versatile. The fact that it is open source means it is always being expanded, which is beneficial for customizing solutions for individual client requests.
What needs improvement?
There is room for improvement by integrating more AI into Wazuh. It requires constant nurturing, as I have to provide it with code and specific requirements. This maintenance can be quite labor-intensive and time-consuming.
For how long have I used the solution?
I have been using Wazuh for nearly three years.
What do I think about the stability of the solution?
The stability of Wazuh is largely dependent on maintenance. If it is well-maintained, it is stable, rating around eight to nine. Without proper maintenance, stability could drop to around five to six.
What do I think about the scalability of the solution?
Wazuh is scalable and suitable for small to medium-sized businesses or enterprises. It can accommodate thousands of endpoints on one instance, and multiple instances can run for different clients.
How are customer service and support?
There is no dedicated technical support for Wazuh as it is open source. I rely on available documentation and self-support.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup of Wazuh is not more complex than any other SIEM solutions available.
What other advice do I have?
I would recommend Wazuh to others. It is a good system that provides a comprehensive view of network activities when correctly set up with syslog and proper log injection. Overall, I would rate Wazuh an eight out of ten.
Which deployment model are you using for this solution?
Evaluating robust file monitoring with insights for community support improvements
What is our primary use case?
I am currently evaluating and using Wazuh for file monitoring and compliance reporting. We are in the process of conducting a POC to understand how the rules work. I lead this effort to explore and evaluate Wazuh as part of my learning and work experience.
What is most valuable?
Wazuh's most valuable features include file monitoring and compliance reporting, which do not require excessive costs. These aspects are vital as they provide alerts for changes and facilitate the monitoring of compliance. The platform is also relatively easy to set up and operate. Reports are straightforward to extract and prove useful for compliance requirements.
What needs improvement?
I am investigating more about the community support for Wazuh. I can't provide a definitive answer yet. An issue I noticed is with tag values in certain rules not functioning properly. It's unclear if this is a design flaw or intentional. These are areas I'm still exploring.
For how long have I used the solution?
I have been using Wazuh for about seven months.
What do I think about the scalability of the solution?
Wazuh offers scaling options and is scalable from a mid to advanced level. However, I am still evaluating if it meets enterprise-scale requirements.
How are customer service and support?
The documentation is good and provides clear instructions, though it's targeted at those with technical backgrounds.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
Before Wazuh, we used market products for our needs. We are exploring other options due to Wazuh being open source.
How was the initial setup?
The initial setup of Wazuh was not complex once the requirements were understood. In a POC environment, setting up took about a day and a half.
What about the implementation team?
I am spearheading this POC effort. Once completed, more people will likely be involved.
What was our ROI?
There is high potential for ROI, especially for small to medium businesses comparing Wazuh to market solutions. Wazuh offers more cost-effective options without compromising on security.
What's my experience with pricing, setup cost, and licensing?
Since Wazuh is open source, the pricing for support could be applicable to medium-sized companies without much issue. However, I haven't fully explored what comes with this pricing.
Which other solutions did I evaluate?
We have looked into the Elastic Stack and haven't explored integrating it with Wazuh since Elastic Stack is no longer open source.
What other advice do I have?
I would recommend Wazuh. It's a valuable tool for security operations. On a scale of one to ten, I currently rate Wazuh as a six. I may rate it higher after more experience.
Which deployment model are you using for this solution?
Improved security visibility but needs better support and integration
What is our primary use case?
Our primary use case was around data collection and anomaly detection. We integrated Wazuh with Google Cloud and other cloud providers to receive alerts and insights if there is any unauthorized data access in the production environment.
We also monitor virtual machines for any malicious command execution and get notifications for any privilege access attempts. Additionally, we detect anomalies in traffic patterns related to specific client accounts.
How has it helped my organization?
Wazuh has provided us with excellent clarity on data access, allowing us to significantly reduce instances of unnecessary production environment access and improve processes.
We now have real-time visibility into the production environment on both cloud and critical virtual machines, which was not possible with our previous manual audits.
What is most valuable?
We found the MITRE framework mapping and the agent enrollment service to be the most valuable features of Wazuh. These components are essential for our security needs.
What needs improvement?
The support channel is not optimal, and extensive research is required on our part to implement Wazuh effectively. The integration modules are insufficiently developed, necessitating the creation of custom integration solutions using tools like Logstash and PubSub. Although they offer data fetching from Cloud Bucket as a more economical option, it was not functioning properly.
For how long have I used the solution?
I've used the solution for four months, during which it was effectively deployed in our production environment for approximately 45 days.
What do I think about the stability of the solution?
The stability of Wazuh is strong, with no issues stemming from the solution itself. Any downtime we experienced was due to human error in configuration.
What do I think about the scalability of the solution?
Scalability depends on the configuration and the infrastructure resources like compute and memory we allocate. We found scalability to be decent, as we could easily adjust our infrastructure to handle increased traffic.
How are customer service and support?
We use the open-source version of Wazuh, which does not provide paid support. Although the community is active, it is not highly responsive. Conversion from issue to resolution is average.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
Before Wazuh, we relied on periodic audits, which were time-consuming and did not provide automated detection of security anomalies.
How was the initial setup?
Initial setup was incredibly simple, requiring only the running of one script for a single node setup. Complexities arose during integration with Kubernetes-based workloads due to insufficient documentation.
What about the implementation team?
We required only two people for both the deployment and ongoing maintenance of Wazuh.
What was our ROI?
The return on investment is visible in reduced mean time to detect from potentially three months to about an hour and mean time to respond from up to thirty days to two days.
What's my experience with pricing, setup cost, and licensing?
We did not incur costs for Wazuh itself, only for the underlying infrastructure such as PubSub, storage, and compute instances, totaling around two lakh Indian rupees per month.
Which other solutions did I evaluate?
We evaluated Google Chronicle and Elastic-based SIEM (ELK SIEM), but Wazuh was the most cost-effective solution, being open-source with necessary compute infrastructure.
What other advice do I have?
Wazuh is well-suited for small to medium-sized organizations seeking better data and security visibility for a reasonable investment. There is a learning curve due to less comprehensive documentation, but it is a beautifully designed solution.
I'd rate the solution seven out of ten.
Which deployment model are you using for this solution?
Enhances security visibility with proactive incident response features
What is our primary use case?
We use Wazuh for our Security Information and Event Management (SIEM) needs. It serves as a log aggregator and provides us the capability to monitor our servers for brute force attacks and other security threats.
We use Wazuh's vulnerability management dashboard to scan our servers for vulnerabilities and ensure compliance with standards such as HIPAA and PCI DSS.
How has it helped my organization?
Wazuh has enhanced our security posture by providing visibility into our environment and enabling proactivity in incident response. It alerts us to any discrepancies in the environment, allowing us to respond swiftly.
Additionally, it supports features like active response, blocking potential intrusions automatically.
What is most valuable?
The most valuable feature of Wazuh is its EDR capabilities. It operates in a server-agent mode, which allows us to aggregate logs from endpoints and monitor server activities, such as vulnerability scans and compliance checks. Wazuh is open to numerous integrations with third-party tools like forensics tools, adding to its versatility.
What needs improvement?
The latest version, 4.9, has improved the interface significantly. I am yet to explore more about the update to identify further areas for improvement. So far, the recent updates have addressed most challenges we previously faced.
For how long have I used the solution?
I have been working with Wazuh for more than three years.
What do I think about the stability of the solution?
Wazuh is very stable over the years, and it has consistently met our needs without issues.
What do I think about the scalability of the solution?
Wazuh is quite scalable. We have deployed it across 20 to 30 servers. You can increase the server resources to handle more endpoints as needed.
How are customer service and support?
Customer service is excellent, rated a ten out of ten. Wazuh has a vast online community on platforms like Slack and Google groups. The response time for queries is great due to the extensive community support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I did not use other SIEM solutions beforehand. Wazuh was already in use when I joined my organization. I am aware of Splunk, which is a commercial SIEM tool, yet have not used it.
How was the initial setup?
Today, even novices can deploy Wazuh due to the simplified setup process using pre-configured scripts and marketplace images for quick deployment.
What's my experience with pricing, setup cost, and licensing?
Wazuh is open-source, with a free version and a commercial cloud subscription for those needing managed cloud hosting. The Wazuh Cloud requires additional licensing fees.
What other advice do I have?
There's no perfect solution in security, as it's a combination of tools, people, and processes. Staying proactive is essential, particularly with AI-enhanced attacks becoming more prevalent.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Very good
I used this for internal testing, and it worked as expected. Make sure to change default passwords for production env.
Credentials Issues
not able to login with instance id as a password....Also Certbot is not included.
Not able to install certbot as given instaructions
Aggregates all your logs in one place and provides a unified view to monitor
What is our primary use case?
My company specializes in providing SIEM as a service. We leverage Wazoo for that. Since Wazoo is open-source, I hosted it on Azure.
We provide Wazuh as a service to our customers. Currently, we have three clients whose environments are integrated with our Wazuh server on our CRM system. We handle the typical CRM use cases, including security alerts and advisories, and monitor their environments through our Wazuh server.
How has it helped my organization?
It allows you to aggregate all your logs in one place and provides a unified view to monitor your security environment. Unlike other solutions, Wazuh is open-source, so you don't need to invest in significant capital expenses. You can easily set up a server on Azure or your infrastructure. While you will need specialized personnel to operate it, this is true for any SIEM solution.
What is most valuable?
One of Wazuh's most significant advantages, aside from being open source, is its flexible dashboards. Integrated with Elasticsearch, Wazuh allows you to create customized dashboards if you have an in-house developer. This level of customization isn’t available with Fortinet, which offers only pre-made dashboards. Wazuh lets you design any dashboard you need.
What needs improvement?
Wazuh doesn't have native support for some enterprise solutions. It requires an agent installed on the server, whether Windows Server or Linux, to collect logs. While you can gather information via SNMP or Splunk logs, this isn't natively supported. Some decoders are available, but they are community-built rather than officially supported. It relies on its community to create these decoders as an open-source platform, so they may not be fully integrated.
What do I think about the stability of the solution?
It's pretty stable. If it's not properly implemented, you don't have stability problems if you follow the documentation and do it as detailed documentation.
What do I think about the scalability of the solution?
Wazuh is highly scalable. You can install it on-premises, in Azure, or using Docker. The architecture allows you to separate the dashboard, index, and node servers.
How are customer service and support?
Wazuh offers technical support, but you need to pay for it. If you are using the open-source solution, you'll need to rely on the extensive documentation and the community itself.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is complicated. You need a specialist in the technology to make good use of it. You can do it on-premises. You can do it on Azure. You can do it on the hybrid cloud as a docker. So it's very flexible.
We use Azure, which we currently use as a single server. We will migrate it to our partner using Azure.
It takes two months to deploy completely.
What was our ROI?
You save on licensing, and you need to invest in people.
What other advice do I have?
When Wazuh is properly implemented, it runs smoothly without causing many problems. However, if it's not set up correctly, you might encounter issues that require weekly maintenance. These can include database and disk issues because, as a VM solution, Wazuh collects a large amount of logging data. Proper implementation prevents these problems, but they can arise if you're unsure how to do it.
Overall, I rate the solution an eight out of ten.
Offers good threat detection capabilities
What is our primary use case?
I use the solution in my company for XDR and SIEM.
What is most valuable?
The solution's most valuable feature is that its XDR part provides a very good experience compared to other open-source software. Wazuh is also better than the existing XDR apps.
What needs improvement?
Wazuh needs improvement in terms of AI. All the tools, whether SIEM or other tools, are focused on AI-based areas. Wazuh should plan to integrate with the AI part.
The product's configuration part and lack of AI capabilities are some of the major concerns associated with Wazuh.
Considering the current technology, the entire infra will be changed for quantum computing and security. We need AI, which is drastically evolving. We needed some alignment with the AI-based Wazuh, and I believe it would be a very promising development since it would not be stable otherwise. Splunk has started working on AI-related stuff. Wazuh's XDR is very good.
For how long have I used the solution?
I have been using Wazuh for three years. My company has a partnership with Wazuh.
What do I think about the stability of the solution?
The tool is very powerful, without a doubt. It is a stable tool. Wazuh is better than Splunk, and I say so since it is very suitable for small and mid-level businesses with lower data volume. Splunk is the best if we need to deal with a higher volume. I can go ahead with Splunk if it is a higher volume. When it comes to small and middle-level businesses, our organization, Wazuh, which has the lowest data volumes, is the best and most stable tool.
What do I think about the scalability of the solution?
When it comes to scalability, there are two things to consider while scaling up Wazuh's deployment. One is that our server and infra facilities should be aligned properly. Wazuh is a scalable tool. I can say the only drawback is that one requires technical knowledge to set up and configure the tool.
How are customer service and support?
The solution's technical support quality is mid-range. I rate the technical support a seven out of ten.
How would you rate customer service and support?
Neutral
How was the initial setup?
It is easy to install and deploy the tool, but only an experienced person can handle such areas. It means the subject matter expert can handle the tool. It cannot be given to someone randomly as the person needs to have some expertise.
The solution is easy to maintain.
Three people can deploy the solution.
Wazuh has given some timelines for the average deployment, but I must ask my team about it.
What's my experience with pricing, setup cost, and licensing?
The product price is neither too high nor too low. A lot of small players can easily adapt to Wazuh. Many are interested in adopting Wazuh in their own infrastructure.
What other advice do I have?
I would say that Wazuh's threat detection capabilities are effective at around 80 percent.
Regarding compliance and integrity monitoring, I would say that the problem stems from the fact that someone who doesn't know or has any background associated with Wazuh or someone junior in the profession cannot configure the product. An experienced person should configure Wazuh, and then only we can get the settings right because it is mostly a configuration-based tool. There are a lot of things in the configuration-based part. The product offers seamless integration capabilities.
I will have to ask my team members about details related to the operational cost and security incident response time associated with the solution.
My final bottom line recommendation to others is that they should consider whether they are using small volumes, and if so, it means their organization is small or mid-sized and is using very few data volumes for which Wazuh is the best choice instead of Graylog, Splunk or some other tool. We need the expertise to set up and configure the tool properly. Expertise and knowledge should be the key thing if anybody needs to adopt the tool. Others need to consider the tool's readiness for the AI revolution.
I rate the tool an eight out of ten.