Skip to content

Files

Latest commit

 

History

History

wazuh

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
assets
assets
 
 
datadog_checks/wazuh
datadog_checks/wazuh
 
 
images
images
 
 
CHANGELOG.md
CHANGELOG.md
 
 
README.md
README.md
 
 
manifest.json
manifest.json
 
 
pyproject.toml
pyproject.toml
 
 

README.md

Agent Integration: wazuh

Overview

Wazuh provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection.

This integration parses the following types of logs:

  • vulnerability-detector : Vulnerability events generated by Wazuh.
  • malware-detector : Rootcheck events generated by Wazuh for detecting any malware in the system.
  • file-integrity-monitoring : Events related to file changes like permission, content, ownership and attributes.
  • docker : Activity Events of docker container.
  • github : Events from audit logs from github organizations.
  • google-cloud : Security events related to google cloud platform services.
  • amazon : Security events from amazon AWS services.
  • office365 : Security events related to office365.
  • system : Events from services like FTPD, PAM, SSHD, syslog, Windows, dpkg, yum, sudo, su, wazuh and ossec along with internal events.

Visualize detailed insights into these logs through the out-of-the-box dashboards.

Setup

Installation

To install the Wazuh integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.

Note: This step is not necessary for Agent version >= 7.58.0.

Linux command

sudo -u dd-agent -- datadog-agent integration install datadog-wazuh==1.0.0

Configuration

Logs collection

  1. Collecting logs is disabled by default in the Datadog Agent. Enable it in datadog.yaml:

    logs_enabled: true

  2. Add this configuration block to your wazuh.d/conf.yaml file to start collecting your logs.

    Use the UDP method to collect the Wazuh alerts data. See the sample wazuh.d/conf.yaml for available configuration options.

      logs:
  - type: udp
    port: <PORT>
    source: wazuh
    service: wazuh

    Note: It is recommended not to change the service and source values, as these parameters are integral to the pipeline's operation.

  3. Restart the Agent.

Configure syslog message forwarding from Wazuh

  1. Log in to the Wazuh UI. Navigate to the left side Menu.

  2. Go to Server management > Settings.

  3. Click on Edit configuration.

  4. Add the following configuration block:

    In this example, all alerts are sent to 1.1.1.1 on port 8080 in JSON format.

      <syslog_output>
    <server>1.1.1.1</server>
    <port>8080</port>
    <format>json</format>
  </syslog_output>

    • The server tag should contain the IP address where your Datadog Agent is running.

    • The port tag should contain the port where your Datadog Agent is listening.

    Note: Using JSON format is required, since Wazuh pipeline parses JSON formatted logs only.

  5. Click the Save button.

  6. After saving, click on the Restart Manager button.

Validation

Run the Agent's status subcommand and look for wazuh under the Checks section.

Data Collected

Log

Format Event Types
JSON vulnerability-detector, file-integrity-monitoring, malware-detector, github, docker, amazon, office365, google-cloud, system and other

Metrics

The Wazuh integration does not include any metrics.

Events

The Wazuh integration does not include any events.

Service Checks

The Wazuh integration does not include any service checks.

Troubleshooting

Permission denied while port binding:

If you see a Permission denied error while port binding in the Agent logs:

  1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the setcap command:

    sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent

  2. Verify the setup is correct by running the getcap command:

    sudo getcap /opt/datadog-agent/bin/agent/agent

    With the expected output:

    /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep

    Note: Re-run this setcap command every time you upgrade the Agent.

  3. Restart the Agent.

Here is how to troubleshoot some possible issues.

Data is not being collected:

Ensure traffic is bypassed from the configured port if the firewall is enabled.

Port already in use:

If you see the Port <PORT_NUMBER> Already in Use error, see the following instructions. The example below is for port 514:

  • On systems using Syslog, if the Agent listens for Wazuh logs on port 514, the following error can appear in the Agent logs: Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use. This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:
    • Disable Syslog.
    • Configure the Agent to listen on a different, available port.

For further assistance, contact Datadog support.