Wazuh - Host and endpoint security
Switch branches/tags
1.0 1.1 2.0 2.1 3.0-profile 3.0 3.1 3.2-syslog 3.2 3.3 3.4-authd-timeout 3.4 3.5 3.6-fix-send-timeout 3.6 3.7-automatic-labels 3.7-fix-database-delete 3.7-fix-exec-kill 3.7-fix-oshash-and-segfaults 3.7-fix-syscheck-unescape 3.7-multigroups-exists 3.7-multigroups-silence 3.7-test-jenkins 3.7-wildcard-seek 3.7-winagent-vs 3.7-winagent-x64 3.7 3.7.0-fix-openbsd 3.8-default-authd 3.8 37-multigroup-fixes-framework add-group-auth agent_info_alerts audit-health-check authd_reuse_key automatic-labels change-vuln-req-size dev-3.0-profiling dev-3.5-maild dev-3.7-hide-cluster-key dev-3.7-restructure-network dev-37-multigroup-improvement dev-agentname dev-aws-guardduty-rules dev-aws-inspector dev-aws-reformat-arrays dev-aws dev-ciscat-api-requests dev-cluster-performance dev-cluster-unit-tests dev-csyslog-diff dev-distributed-agents-info dev-distributed-api-full-distributed dev-distributed-api dev-fim-sqlite dev-hash-exclusive dev-ignore-agents dev-json-dynamic dev-merge dev-multigroups-consistency dev-multiple-groups-back dev-nested-object dev-osquery-back2 dev-poc-full-distributed-queue dev-proc-full-distributed-pipe dev-query-config-bak dev-remoted-fix-allocation dev-remoted-multithread-message-format dev-remoted-netbuffer dev-remoted-sql dev-remove-internal-options dev-rm-agent-limit dev-rootcheck-db dev-rootcheck-improvements dev-rules-json dev-sample-alert dev-split-config dev-syscheck-delete-alerts dev-syscheck-hash dev-syscheck-remove-old-snapshot dev-vuln-amaz-linux dev-vuln-detector dev-vuln-rh-feed dev-wazuh-so-lib dev-whodata-win-attrs extra-win-auth fix-3.2-unicode-characters-framework fix-3.6-ossec-control-cluster fix-AR-windows fix-add-hash-return fix-aws-guardduty-list fix-cdb-sigsegv fix-compilation-old-glibc fix-dev-aws-only-services fix-fim-newalerts fix-log-flooding-merge-file fix-maild-interference fix-multigroups fix-parameter-node-node_name fix-search-agent-id fix-solaris10 fix-syscollector-store-network fix-user-field fix-whodata-linux fix-windows-dec fix-xp-upgrade fluent-bit-update get-timezone-syscollector improve-whodata kaspersky-custom_flags-issue logo-installer master-increased-buffer-bak master md5-sqlite-syscheck new-elk revert-1695-37-multigroups-removal solaris_fix_3.0 stable test-check-remoted-send update-ruleset-ossec vuln-downl-retries
Nothing to show
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/ISSUE_TEMPLATE Update ruleset test template Nov 27, 2018
active-response Move duplicate entry check into the add action Nov 22, 2018
contrib Add SSL cert option (#1856) Nov 19, 2018
doc spelling: response Aug 29, 2017
etc Merge branch '3.7' into 3.8 Dec 3, 2018
extensions Resolve issue of many GuardDuty findings failing to be indexed by Ela… Dec 2, 2018
framework Merge branch '3.7' into 3.8 Dec 3, 2018
integrations Fix argument checking in the Slack and Virustotal integration scripts Nov 20, 2018
src Remove deprecated flag REUSE_ID from the Makefile Dec 14, 2018
tools/migration Discard invalid entries in syscheck database (#1867) Nov 13, 2018
wodles Merge pull request #1785 from wazuh/3.7-fix-missing-oscap-error-msg Nov 20, 2018
.gitignore Separate the non-parallelable part of the OS_Regex library Oct 1, 2018
.travis.yml Add SSL cert option (#1856) Nov 19, 2018
BUGS Changed some URLs and messages Apr 25, 2017
CHANGELOG.md Added changelog entry Dec 13, 2018
CONFIG Changed some URLs and messages Apr 25, 2017
CONTRIBUTORS Replaced OSSEC HIDS for OSSEC Wazuh and updated version number Sep 15, 2016
INSTALL Changed some URLs and messages Apr 25, 2017
Jenkinsfile-daily Renaming JenkinsFile. Testing webhooks Nov 30, 2016
Jenkinsfile-instant New jenkinsfile for instant tests Nov 30, 2016
LICENSE spelling: routines Aug 29, 2017
README.md Update README.md - Copyright date updated Feb 27, 2018
add_localfiles.sh Replace installation directory Jan 30, 2017
gen_ossec.sh Add SSL cert option (#1856) Nov 19, 2018
install.sh Add SSL cert option (#1856) Nov 19, 2018
upgrade.sh Let remote upgrades execute in dynamic installation directory Feb 7, 2018



Slack Email Documentation Documentation Coverity

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

  • Log management and analysis: Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
  • File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
  • Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
  • Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

Wazuh provides an updated log analysis ruleset, and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

Wazuh also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Wazuh Open Source components and contributions

  • Wazuh was born as a fork of OSSEC HIDS. It contains many new features, improvements and bug fixes.

  • Wazuh App is a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

  • Wazuh Ruleset is our repository to centralize decoders, rules, rootchecks and SCAP content. The ruleset is used by the manager to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, system anomalies or security policy violations. Also, it includes the compliance mapping with PCI DSS v3.1 and CIS. Users can contribute to this rule set by submitting pull requests to our Github repository.

  • Wazuh RESTful API is used to monitor and control your Wazuh installation, providing an interface to interact with the manager from anything that can send an HTTP request.

  • Pre-compiled installation packages include repositories for RedHat, CentOS, Fedora, Debian, Ubuntu and Windows.

  • Puppet scripts for automatic Wazuh deployment and configuration.

  • Docker containers to virtualize and run your Wazuh manager and an all-in-one integration with ELK Stack.



  • stable branch on correspond to the last Wazuh stable version.
  • master branch contains the latest code, be aware of possible bugs on this branch.


If you want to contribute to our project please don't hesitate to send a pull request. You can also join our users mailing list, by sending an email to wazuh+subscribe@googlegroups.com, to ask questions and participate in discussions.

Software and libraries used

  • Modified version of Zlib and a small part of OpenSSL (SHA1 and Blowfish libraries).
  • OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
  • Cryptographic software written by Eric Young (eay@cryptsoft.com).
  • Software developed by the Zlib project (Jean-loup Gailly and Mark Adler).
  • Software developed by the cJSON project (Dave Gamble).
  • Node.js (Ryan Dahl).
  • NPM packages Body Parser, Express, HTTP-Auth and Moment.

Credits and Thank you

License and copyright

WAZUH Copyright (C) 2016-2018 Wazuh Inc. (License GPLv2)

Based on OSSEC Copyright (C) 2015 Trend Micro Inc.