Wazuh is an open-source Host-based Intrusion Detection System (HIDS) that monitors your server for security threats, file integrity changes, rootkits, and compliance violations. This guide covers installing and configuring Wazuh on your VPS for comprehensive security monitoring.
What Wazuh Detects
- File integrity changes (modified system files, unauthorized changes)
- Rootkit detection (hidden processes, files, ports)
- Log analysis (failed logins, suspicious patterns)
- Vulnerability detection (CVE scanning)
- Compliance monitoring (PCI-DSS, HIPAA, CIS benchmarks)
- Active response (automatic blocking of threats)
Architecture Options
# Option 1: All-in-one (manager + agent on same server)
# Good for single-server setups, uses more resources
# Option 2: Separate manager server + agents
# Manager: Central server collecting data from all agents
# Agent: Lightweight process on each monitored server
# Recommended for multi-server environments
# Resource requirements:
# Wazuh Manager: 4 vCPU, 8GB RAM, 50GB storage minimum
# Wazuh Agent: Minimal overhead (~50MB RAM, 1% CPU)Installing Wazuh Agent
# Import the GPG key and add repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring \
--keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
# Install the agent
sudo apt update
sudo WAZUH_MANAGER="manager-ip" apt install wazuh-agent
# Start the agent
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agentConfiguring File Integrity Monitoring
# Edit /var/ossec/etc/ossec.conf
# Key syscheck configuration:
# - Set frequency (seconds between scans)
# - Add directories to monitor: /etc, /usr/bin, /usr/sbin, /var/www
# - Set realtime="yes" for immediate detection
# - Add ignore rules for frequently changing filesConfiguring Log Analysis
# Monitor additional log files by adding localfile entries:
# /var/log/nginx/error.log (syslog format)
# /var/log/nginx/access.log (apache format)
# /var/log/mysql/error.log (syslog format)Active Response Configuration
# Automatically block IPs with too many failed SSH attempts
# Configure active-response with firewall-drop command
# Set timeout (e.g., 3600 seconds = 1 hour)
# Link to rule IDs (e.g., 5712 for multiple auth failures)Checking Agent Status
# Verify agent is connected
sudo /var/ossec/bin/wazuh-control status
# View agent logs
sudo tail -f /var/ossec/logs/ossec.log
# Check file integrity results
sudo /var/ossec/bin/syscheck_control -lWazuh vs Other HIDS Solutions
| Feature | Wazuh | OSSEC | Tripwire |
|---|---|---|---|
| Open Source | Yes | Yes | Community only |
| File Integrity | Yes | Yes | Yes |
| Log Analysis | Yes | Yes | Limited |
| Vulnerability Scan | Yes | No | No |
| Active Response | Yes | Yes | No |