This is built upon OSSec[1]. While it works ok, with Elastic underneath it's far too much maintenance for my 30 servers.

[1] - https://www.ossec.net/

It would be great to be able to use VictoriaLogs underneath instead of Elasticsearch. This would simplify the configuration and maintenance, since VictoriaLogs works optimally with default configs on any hardware. This will also help reducing hardware costs for large amounts of stored security logs, since VictoriaLogs usually needs up to 30x less RAM and up to 15x less disk space than Elasticsearch for the same amounts of logs. See https://itnext.io/how-do-open-source-solutions-for-logs-work... for details.

There is a hosted offering https://wazuh.com/cloud

I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.

The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.

Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.

It seems their official Docker image is 5 years old.

Kicked the tires on it, but the agent requirement was a no-go for me. Coming from Enterprise Infrastructure, mandating Yet Another Agent is already knocking your product down several grades versus those leveraging OpenTelemetry or standardized collectors and forwarders.

An agentless Nessus scan (man, I miss Nessus) gets you 90% of the way there for all but the most security-conscious organizations, and its agent is honestly kind of light and simple if I have to install it.

Wazuh does much more than Nessus, for instance you can instruct the agent to temporarily drop networking if you identify a compromised machine. Agentless scans will do nothing of the like.

I appreciate the different feature sets, but there's almost always another endpoint agent you can build that behavior onto/through in the modern enterprise. Posture control isn't exactly a unique feature, and my original opinion still stands: between CrowdStrike, Tanium, SentinelOne, Defender, AirWatch, New Relic, and OpenTelemetry, I've seen a web of similar-ish feature sets with agents alone consuming upwards of 10% of the machine's CPU power just in the background.

What's worse, Wazuh doesn't even fully replace any of those above agents, meaning it has to be yet another complimentary agent on the machine. No thanks, when New Relic + OpenTelemetry can feed me all of the machine's logs and monitoring statistics, while a competent ITAM/ITSM can alert on out-of-bounds posture and trigger network or Identity systems to shutdown access. Hell, I'm old enough to remember when basic log forwarding and SNMP traps were all that was needed to effectively monitor machines, before developers and vendors began locking stuff up behind new APIs or services they could monetize better.

Don't get me wrong, I want Wazuh to succeed because nobody should have to shell out thousands of dollars a month for basic security posturing and monitoring; right now though, Wazuh ain't it.

I agree w everything you said, point was just Wazuh and Nessus arent exactly the same type of tools.

Spoiler alert: agent based. Ran it before, was a maint burden of the first order.

It's not exactly the surprise of the century that running your own services, let alone a security platform, requires maintenance.

What was it specifically that made it a "maint burden of the first order?"

I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.

I have built from ground up 2 SIEMS.

I used their docker based installation. Upgraded it a couple of times, takes me 1h each time (mostly because I am more of a PHB and not a devops)

Never had a single issue with indexes, though we only ingest 500k+ events per day for ~endpoints.

Don’t use email but notifications by Slack. Never had it fail in one year.

Honestly, I almost feel bad for the amount of value I’m getting for free. So I’m happy to give back: made an integration that recovers all Google Workdspace events (https://github.com/avanwouwe/wazuh-gworkspace) if anyone’s using Wazuh? I also plan on publishing my Chrome extension integration (behavioral analysis and malware and shadow it detection) in a couple of days!

I have run it for a while and I have yet to successfully upgrade it a single time. I always just end up rebuilding the server to get a new version.

Did you think it was set and forget? There is a reason companies have entire SOC teams only looking at EDR and SIEM.

What SIEM did you move to that was less of a burden?

I know of no similar package that isn't agent based, at least when it comes to endpoints. I'd be happy to hear an alternative, though.

Why was it a burden?

There is an agentless option that just requires ssh access. Not something I’d prefer from a security point of view, but it’s possible.

Agent based is not really a big burden, most monitoring systems work like this (Prometheus). Companys use Ansible etc.

Prometheus is not agent based though

It is mind-blowing that such a good SIEM (Security information and event management) software can be free.

I'd like to give you a virtual cookie, for being the only person in the comments so far to spell out what SIEM stands for.

I appreciate you.

Seriously, this is getting out of hand in the cybersecurity space. SAST, DAST, SBOM, WAF, SOAR, TPRM, NGFW, MSSP...

I noticed that in ‘22 there was a solid shift from three letter acronyms to four. Madness.

Don’t forget CAASM!

> such a good SIEM

Source? The value a SIEM provides these days is mostly the out of the box integrations and log parses. Wazuh is far from that, IME.

My team tested it when we were choosing an EDR and SIEM. The experience was horrendous.

The maintenance is huge, you need to hunt for rulesets, the EDR is half baked, etc.

What net benefits does a full blown "SIEM" add over a simple log database w/ alerting support?

Building on top of elastic was an easy win. However, SCAs need a lot more love. Some of them are wrong/outdated, while many are missing.

So what SIEM do people suggest? AWS shop, EC2, VPC, Lamba, RDS

As a teacher, I love explaining how professional most IT security software is. I go over several acronyms for various software packages.

Then I ask the class to guess at where Wazuh's name came from.

It's not a concept from The Art of War in the original Chinese.

It's not an ancient Samurai motto.

It's from "Up you wazuh"

> Unified XDR and SIEM protection for endpoints and cloud workloads

Guess IDC ABT this. Jokes aside, read the page, still don't know if I care about this or need it...

I am not familiar with the term.

"Universal agent" is some form of antivirus, ransomware software like ESET, or McAffee?

Or does the universal agent listen to "endpoint security, somebody elses antivirus that reports what it finds up the chain?

And the next step is that the data gets to the server, is parsed, stored etc and present on a nice gui?

"Someone proped computer3 with a known exsploit at (somedatetime)" ?

They're implying that you have a single agent which does the EDR (antivirus) and SIEM (logging) functionality instead of two separate agents. This is becoming more commonplace throughout the security industry as multiple agents can be burdensome from both a security and maintenance perspective.

Agreed about the security and maintenance perspective perspective.

Does that then mean we can conclude that the agent that comes with this product is a fully fledged endpoint security like ESET/MCaffe etc?

I am wondering about this since a top notch free and open source antivirus and malware program would be super useful and cheap

I haven't used it, and can't speak to it being "top notch", but they're advertising it as a fully fledged endpoint product that even includes some things like FIM (File integrity Monitoring), which are usually only available as expensive add-ons or additional modules with traditional security products like McAfee.

If it were me, I would compare and contrast it's features and support with commercial offerings and see which one you feel the most comfortable with. There's a lot at stake when it comes to security. It's probably best not to let your decisions be 100% about up-front cost.

As far as I know it's just a node exporter, similar to prometheues node-exporter

Just Say No to "endpoint security"

What is the good alternative to this? McAffee? AVAST? Kaspersky?

Nothing?

What about adding compatibility with VictoriaLogs instead of using Elasticsearch/OpenSearch?

Can some folks in the cybersecurity arena recommend some good email newsletters, websites, blogs, accounts, etc to follow to keep up in the space?

Any specific areas of interest?

Some mailing lists at [1], like oss-security & kernel-hardening. CISA (Cybersecurity and Infrastructure Security Agency) [2] has a few different areas they report on. Mozilla has the dev-security-policy mailing list for all things PKI (public key infrastructure) [3], and a few other lists as well. There's the Full Disclosure [4] mailing list for vulnerabilities/exploits, etc. Quite a few others at [5], though sadly many are no longer active.

[1] https://openwall.com/lists/

[2] https://www.cisa.gov/about/contact-us/subscribe-updates-cisa

[3] https://groups.google.com/a/mozilla.org/g/dev-security-polic...

[4] https://seclists.org/fulldisclosure/

[5] https://seclists.org/

I have slowly been aggregating various blogs in the cybersec realm at https://securityblogs.xyz/

I add new blogs as I run into them on twitter/reddit/HN/etc

Do you have an OPML feed for that?

I do not, but I can add that later today.

That's would be great :)

Done. Give it a try!

It works! Thank you :)

I'm not in cyber but "Risky Business" ( https://risky.biz/ ) is a good podcast to keep up to date.

They always have a lot of outgoing links in their show-notes that should get you started with the rest.

Podcast https://isc.sans.edu/podcast.html

This blog is nice https://blog.badsectorlabs.com/

You have different areas of security. Sadly our space is full of grifters and wanna be security "experts". For a very technical security podcast I recommend Critical Thinking Bug Bounty [1].

[1] https://www.criticalthinkingpodcast.io/

Well your other choice is you pay for a non open source SIEM that's $10 per endpoint per month and cross your fingers that they don't do a rugpull and start charging you $20 after it's insinuated itself into your environment is hard to replace..

With an Open Source project you at least have the possibility that if it has enough users and companies using it then someone will fork the code if the company ever makes it closed source and keep the project going.

The increase from $10 to $20 is 100%. The increase from $0 to $10 is infinity%, but I take your point.

I'm probably just still a little bitter about the recent Bitwarden open source rugpull.

My first thought isn't the "rug pull" but rather that the real product being produced by the "FOSS company", from the get go, are the expensive support contracts.

Two different business models:

- Sell a great+differentiated product, support is ~free and rarely needed

- Give a away a terrible product (usually an over-engineered CRUD), constant $upport is required to use it effectively