awesome-wazuh

Curated list of Wazuh resources, tools, and integrations

Wazuh is a free, open-source security monitoring platform for threat prevention, detection, and response.

Contents

• Official Documentation
• Getting Started
• Setup Guides
• Deployment
  • Docker
  • Kubernetes
  • Terraform / OpenTofu
  • Ansible
  • Cloud Platforms
  • CI/CD & Testing
• Rules & Detection
  • Community Rules
  • Vendor-Specific Rules
  • Detection Modules
• Integrations
  • Alerting
  • Ticketing
  • Threat Intelligence
  • Cloud Platforms
  • SOAR
  • Custom Integrations
• Tools & Utilities
• Maintenance
  • Backup & Restore
  • Known Issues
• Compliance
• Training & Certification
• Guides & Tutorials
  • AI & LLM Integration
  • Detection & Response
  • General
• Ambassador Program
• Community
• Contributing

Official Documentation

• 🟢 Wazuh Documentation - Installation, configuration, and usage guides
• 🟢 Architecture Overview - System design and components
• 🟢 API Reference - REST API endpoints
• 🟢 Wazuh Blog - Weekly technical articles
• 🟢 Release Notes - Version history and changelog

Getting Started

• 🟢 Installation Guide - Step-by-step deployment instructions
• 🟢 Quickstart - Get running in 30-60 minutes
• 🟢 Wazuh Cloud - Fully managed SaaS option with free tier
• 🟢 Docker Quick Start - Single command deployment for testing

Setup Guides

Step-by-step setup walkthroughs for Wazuh installation, configuration, and operational tasks.

• 🟡 samma-io/wazuh-help - Setup help, troubleshooting, and operational notes for Wazuh deployments

Deployment

Docker

• 🟢 Official Docker Guide - Container deployment documentation
• 🟢 Docker Repository - Docker Compose files and images (1,000+ stars)

Kubernetes

• 🟢 Official Kubernetes Guide - K8s cluster deployment
• 🟢 Helm Charts - Production-grade Helm packages with HA support

Terraform / OpenTofu

• 🟡 Terraform/OpenTofu Provider - Community provider, actively maintained
• 🟡 Terraform Registry - Official Terraform registry entry
• 🟢 Feature Request - Official Wazuh provider (planned)

Ansible

• 🟢 Official Ansible Guide - Multi-host deployment automation
• 🟢 Ansible Playbooks - Ready-to-use playbooks (use release branches for production)

Cloud Platforms

• 🟢 AWS Deployment - CloudTrail, GuardDuty, Security Hub, Macie
• 🟢 Azure Deployment - Log Analytics, Microsoft Graph, Intune
• 🟢 GCP Deployment - Pub/Sub and Cloud Storage integration
• 🟢 Virtual Machines (OVA/AMI) - Pre-built images for quick POC

CI/CD & Testing

• 🟢 Wazuh QA - Automated testing and CI/CD infrastructure

Rules & Detection

• 🟢 Rules Documentation - Rule syntax and optimization
• 🟢 Custom Rules Guide - Writing and testing custom rules
• 🟢 Official Ruleset - Complete rule repository

Community Rules

General-purpose community rule collections.

• 🟡 socfortress/Wazuh-Rules - Community rule collection
• 🟡 Ghost47-coder/Wazuh-Rules - Custom rule set and decoders

Vendor-Specific Rules

Decoders and rulesets for specific devices, appliances, and platforms.

• 🟡 Fortigate Rules & Decoders - Fortigate device monitoring
• 🟡 Pi-hole Decoder & Rules - Pi-hole DNS sinkhole monitoring and detection
• 🟡 Synology DSM (st0rm-cr0w) - Synology DSM decoder and rules
• 🟡 Synology DSM (Tomo-9925) - Alternative Synology DSM decoder implementation
• 🟡 Unifi Decoder - Ubiquiti Unifi network monitoring

Detection Modules

• 🟢 File Integrity Monitoring (FIM) - Detect unauthorized file changes
• 🟢 Vulnerability Detection - CVE scanning and assessment
• 🟢 Configuration Assessment (SCA) - Compliance validation and hardening
• 🟢 Malware Detection - ClamAV and YARA integration
• 🟢 Active Response - Automated threat response

Integrations

Connect Wazuh with external platforms for alerting, ticketing, threat intelligence, and orchestration.

Alerting

• 🟢 Slack - Real-time alerts to Slack channels
• 🟢 PagerDuty - On-call incident escalation
• 🟢 Email - SMTP alert delivery

Ticketing

• 🟢 Generic API Integration - Trigger any external API
• 🟢 ServiceNow Integration - REST API + Python script
• 🟡 Jira Integration - Community guide

Threat Intelligence

• 🟢 VirusTotal - File hash and URL enrichment
• 🟢 CDB Lists - Custom threat intelligence lists

Cloud Platforms

• 🟢 AWS Security Hub - CloudTrail, GuardDuty, and Security Lake integration
• 🟢 Azure Sentinel - Microsoft Sentinel integration
• 🟢 Google Cloud - Cloud Audit Logs integration

SOAR

• 🟡 Shuffle SOAR - Open-source SOAR with Wazuh support
• 🟢 Shuffle + Teams Integration - SOAR-based Teams alerting
• 🟡 Automated Threat Detection & Response (Medium) - Real-world Wazuh + Shuffle threat response automation

Custom Integrations

• 🟡 wazuh2thehive - TheHive case management integration
• 🟡 wazuh-opencti - OpenCTI threat intelligence platform
• 🟡 wazuh-integrations - Collection of custom integrations
• 🟡 Prometheus Exporter - Prometheus metrics and monitoring
• 🟡 Sophos-Wazuh-SOC - Sophos firewall and endpoint integration for SOC operations
• 🟡 Telegram Alerting - Telegram notification script
• 🟡 Custom Telegram - Advanced Telegram alert formatting
• 🟡 wazuh-nmap - Nmap network scan integration

Maintenance

Backup & Restore

• 🟢 Creating a Backup — Central Components - Official guide: directories to back up (/etc/wazuh-indexer/, /var/ossec/etc/, certificates) using rsync + tar
• 🟢 Restoring Central Components - Step-by-step restore for single node and multi-node cluster
• 🟢 Index Backup Management - Official blog: OpenSearch snapshots for alert data — filesystem, S3, Azure, GCS, SLM automation
• 🟡 Snapshot and Restore — Practical Guide - Community walkthrough: path.repo configuration, snapshot via CLI and Dashboard UI, cron automation

Known Issues

Wazuh services fail to start after reboot on Debian/Ubuntu

A well-known issue on all-in-one installations: Wazuh services (wazuh-indexer, wazuh-manager, wazuh-dashboard) have no After= dependencies in their systemd units, causing race conditions on boot. Symptoms: dashboard returns "server is not ready yet", indexer enters failed state, or manager fails due to a missing PID file.

• 🟡 wazuh-indexer #201 - Indexer fails after reboot: missing /var/log/wazuh-indexer/gc.log directory
• 🟡 wazuh-packages #1962 - Indexer enters failed state on reboot (v4.4.0+)
• 🟡 wazuh/wazuh #31037 - Permission denied on GC log at JVM startup

Workaround: create a systemd override to enforce startup order:

# /etc/systemd/system/wazuh-manager.service.d/override.conf
[Unit]
After=wazuh-indexer.service network-online.target

# /etc/systemd/system/wazuh-dashboard.service.d/override.conf
[Unit]
After=wazuh-indexer.service network-online.target

Then reload: systemctl daemon-reload. If the indexer still needs extra time to initialize, add ExecStartPre=/bin/sleep 15 to the dashboard override.

Tools & Utilities

• 🟡 Wazuh Tools - Collection of operational utility scripts
• 🟡 MCP Server Wazuh - Model Context Protocol server for Wazuh
• 🟡 Wazuh MCP Server - Alternative MCP implementation

Compliance

Map Wazuh capabilities to regulatory frameworks.

• 🟢 PCI-DSS - Payment Card Industry Data Security Standard
• 🟢 GDPR - EU data protection regulation
• 🟢 NIS-2 - EU critical infrastructure directive (audit deadline June 30, 2026)
• 🟢 ISO 27001 - Information security management standard
• 🟢 HIPAA - Healthcare data protection
• 🟢 NIST 800-53 - Federal security controls
• 🟢 TSC (SOC 2) - Trust Service Criteria

Training & Certification

• 🟢 Official Training Courses - 4-day authorized certification program
• 🟡 YouTube Tutorials - Official video guides
• 🟡 Udemy - Complete Wazuh Course - Beginner to advanced
• 🟡 initMAX - Wazuh Training - Certified Wazuh Professional credential
• 🟡 SIEM Intelligence - Certified Wazuh Administrator - CWA credential

Guides & Tutorials

Community-contributed guides for specific use cases and advanced configurations.

AI & LLM Integration

• 🟡 Local Ollama in the Wazuh Dashboard - LLM-powered alert insights using a local Ollama instance embedded in the Wazuh Dashboard
• 🟡 Wazuh + AWS Bedrock + MCP (Part 1) - Integrating Wazuh with AWS Bedrock and Model Context Protocol for AI-driven security analysis
• 🟡 Wazuh + AWS Bedrock + MCP (Part 2) - Advanced configuration and use cases for Wazuh + AWS Bedrock + MCP integration

Detection & Response

• 🟡 SOAR Flow Guide - SOAR orchestration and automation patterns
• 🟡 Bruteforce Detection Guide - Detecting and responding to brute force attacks

General

• 🟡 Wazuh Complete Guide - Comprehensive Wazuh setup and configuration guide

Ambassador Program

Represent Wazuh in your region. Become an ambassador and share your expertise.

• 🟢 Wazuh Ambassador Program - How to become an ambassador
• Ambassador Activities Guide - Content creation, speaking, training, partnerships

Community

• 🟢 Wazuh Community - Slack workspace and forums
• 🟢 GitHub Discussions - Q&A and feature requests
• 🟢 GitHub Organization - 31+ repositories (14,600+ stars on main)
• 🟢 Professional Support - SLA-backed support services

Examples

This repository includes deployment templates and examples:

• Docker Compose (examples/docker-compose/) - Single and multi-node setups
• Terraform (examples/terraform/) - Infrastructure-as-code templates (OpenTofu compatible)
• Ansible (examples/ansible/) - Multi-host playbooks
• Vagrant (examples/vagrant/) - Local VM-based lab

Contributing

Contributions welcome. To add a resource:

1. Verify the link works (HTTP 200)
2. Use appropriate badge: 🟢 Official (Wazuh project) | 🟡 Community
3. Keep description to 1-2 lines, concrete and useful
4. Add in correct category and alphabetical order
5. Submit pull request

See CONTRIBUTING.md for guidelines.

Curated by: Franco Tampieri (TTlab® - Security & DevOps) | [email protected]

License

MIT

Badges: 🟢 = Official (Wazuh) | 🟡 = Community