--- title: Wazuh description: Gain insights into the Wazuh alerts. breadcrumbs: Docs > Integrations > Wazuh --- # Wazuh Supported OS Integration version1.3.0 Wazuh - Cloud SecurityWazuh - File Integrity MonitoringWazuh - Malware DetectionWazuh - MITRE ATT&CKWazuh - OverviewWazuh - Security OperationsWazuh - SystemWazuh - Vulnerability Detection ## Overview{% #overview %} [Wazuh](https://wazuh.com/) provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection. This integration parses the following types of logs: - **vulnerability-detector** : Vulnerability events generated by Wazuh. - **malware-detector** : Rootcheck events generated by Wazuh for detecting any malware in the system. - **file-integrity-monitoring** : Events related to file changes like permission, content, ownership and attributes. - **docker** : Activity Events of docker container. - **github** : Events from audit logs from github organizations. - **google-cloud** : Security events related to google cloud platform services. - **amazon** : Security events from amazon AWS services. - **office365** : Security events related to office365. - **system** : Events from services like FTPD, PAM, SSHD, syslog, Windows, dpkg, yum, sudo, su, wazuh and ossec along with internal events. Visualize detailed insights into these logs through the out-of-the-box dashboards. **Minimum Agent version:** 7.61.0 ## Setup{% #setup %} ### Installation{% #installation %} To install the Wazuh integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management](https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install) documentation. **Note**: This step is not necessary for Agent version >= 7.58.0. Linux command ```shell sudo -u dd-agent -- datadog-agent integration install datadog-wazuh==1.0.0 ``` ### Configuration{% #configuration %} #### Logs collection{% #logs-collection %} 1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: ```yaml logs_enabled: true ``` 1. Add this configuration block to your `wazuh.d/conf.yaml` file to start collecting your logs. Use the UDP method to collect the Wazuh alerts data. See the sample [wazuh.d/conf.yaml](https://github.com/DataDog/integrations-core/blob/master/wazuh/datadog_checks/wazuh/data/conf.yaml.example) for available configuration options. ```yaml logs: - type: udp port: source: wazuh service: wazuh ``` **Note**: It is recommended not to change the service and source values, as these parameters are integral to the pipeline's operation. 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent). #### Configure syslog message forwarding from Wazuh{% #configure-syslog-message-forwarding-from-wazuh %} 1. Log in to the Wazuh UI. Navigate to the left side Menu. 1. Go to **Server management** > **Settings**. 1. Click on **Edit configuration**. 1. Add the following configuration block: In this example, all alerts are sent to 1.1.1.1 on port 8080 in JSON format. ```xml 1.1.1.1 8080 json ``` - The `server` tag should contain the IP address where your Datadog Agent is running. - The `port` tag should contain the port where your Datadog Agent is listening. Note: Using JSON format is required, since Wazuh pipeline parses JSON formatted logs only. 1. Click the **Save** button. 1. After saving, click on the **Restart Manager** button. ### Validation{% #validation %} [Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information) and look for `wazuh` under the Checks section. ## Data Collected{% #data-collected %} ### Log{% #log %} | Format | Event Types | | ------ | -------------------------------------------------------------------------------------------------------------------------------------- | | JSON | vulnerability-detector, file-integrity-monitoring, malware-detector, github, docker, amazon, office365, google-cloud, system and other | ### Metrics{% #metrics %} The Wazuh integration does not include any metrics. ### Events{% #events %} The Wazuh integration does not include any events. ### Service Checks{% #service-checks %} The Wazuh integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} **Permission denied while port binding:** If you see a **Permission denied** error while port binding in the Agent logs: 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: ```shell sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent ``` 1. Verify the setup is correct by running the `getcap` command: ```shell sudo getcap /opt/datadog-agent/bin/agent/agent ``` With the expected output: ```shell /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep ``` **Note**: Re-run this `setcap` command every time you upgrade the Agent. 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent). Here is how to troubleshoot some possible issues. **Data is not being collected:** Ensure traffic is bypassed from the configured port if the firewall is enabled. **Port already in use:** If you see the **Port Already in Use** error, see the following instructions. The example below is for port 514: - On systems using Syslog, if the Agent listens for Wazuh logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: - Disable Syslog. - Configure the Agent to listen on a different, available port. For further assistance, contact [Datadog support](https://docs.datadoghq.com/help/).