Wazuh HIDS Integration

Overview

Wazuh is an open-source host-based intrusion detection system with security monitoring and compliance capabilities. KYRA MDR collects Wazuh alerts and events for centralized security monitoring. Supports Wazuh 4.x.

Prerequisites

• A KYRA MDR Collector installed and running
• Wazuh Manager installed and configured
• Wazuh API access (default port 55000)
• Network connectivity from the Wazuh Manager to the collector

Configuration

Configure Wazuh to forward alerts:

1. Edit the Wazuh Manager configuration:

/var/ossec/etc/ossec.conf

<syslog_output>
  <server><collector-ip></server>
  <port>514</port>
  <format>json</format>
  <level>3</level>
</syslog_output>

2. Enable the syslog output:

/var/ossec/bin/wazuh-control enable client-syslog
sudo systemctl restart wazuh-manager

For API-based collection:

collector-config.yaml

sources:
  - type: wazuh
    api_url: https://<wazuh-manager>:55000
    username: wazuh
    password: <password>
    poll_interval: 60s

Collected Log Types

Log Type	Description	Security Use
Alerts	Rule-based security alerts	Threat detection
File Integrity	FIM change detection events	File tampering detection
Rootcheck	Rootkit detection events	Host compromise detection
SCA	Security configuration assessment	Hardening compliance
Vulnerability	Vulnerability detection results	Patch management
Syscheck	System integrity monitoring	Change detection

Troubleshooting

No syslog output: Verify syslog output is enabled with /var/ossec/bin/wazuh-control info.

Missing alerts: The level setting controls minimum alert level. Level 3 is recommended.

API authentication: The collector handles JWT token refresh automatically.

Contact kyra@seekerslab.com for support.