Wazuh - File Integrity Monitoring
Wazuh - Malware Detection
Wazuh - Security Operations
Wazuh - Vulnerability Detection
Overview
Wazuh provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection.
This integration parses the following types of logs:
- vulnerability-detector : Vulnerability events generated by Wazuh.
- malware-detector : Rootcheck events generated by Wazuh for detecting any malware in the system.
- file-integrity-monitoring : Events related to file changes like permission, content, ownership and attributes.
- docker : Activity Events of docker container.
- github : Events from audit logs from github organizations.
- google-cloud : Security events related to google cloud platform services.
- amazon : Security events from amazon AWS services.
- office365 : Security events related to office365.
- system : Events from services like FTPD, PAM, SSHD, syslog, Windows, dpkg, yum, sudo, su, wazuh and ossec along with internal events.
Visualize detailed insights into these logs through the out-of-the-box dashboards.
Setup
Installation
To install the Wazuh integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.
Note: This step is not necessary for Agent version >= 7.58.0.
Linux command
sudo -u dd-agent -- datadog-agent integration install datadog-wazuh==1.0.0
Configuration
Logs collection
Collecting logs is disabled by default in the Datadog Agent. Enable it in datadog.yaml
:
Add this configuration block to your wazuh.d/conf.yaml
file to start collecting your logs.
Use the UDP method to collect the Wazuh alerts data.
See the sample wazuh.d/conf.yaml for available configuration options.
logs:
- type: udp
port: <PORT>
source: wazuh
service: wazuh
Note: It is recommended not to change the service and source values, as these parameters are integral to the pipeline’s operation.
Restart the Agent.
Log in to the Wazuh UI. Navigate to the left side Menu.
Go to Server management > Settings.
Click on Edit configuration.
Add the following configuration block:
In this example, all alerts are sent to 1.1.1.1 on port 8080 in JSON format.
<syslog_output>
<server>1.1.1.1</server>
<port>8080</port>
<format>json</format>
</syslog_output>
Note: Using JSON format is required, since Wazuh pipeline parses JSON formatted logs only.
Click the Save button.
After saving, click on the Restart Manager button.
Validation
Run the Agent’s status subcommand and look for wazuh
under the Checks section.
Data Collected
Log
Format | Event Types |
---|
JSON | vulnerability-detector, file-integrity-monitoring, malware-detector, github, docker, amazon, office365, google-cloud, system and other |
Metrics
The Wazuh integration does not include any metrics.
Events
The Wazuh integration does not include any events.
Service Checks
The Wazuh integration does not include any service checks.
Troubleshooting
Permission denied while port binding:
If you see a Permission denied error while port binding in the Agent logs:
Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the setcap
command:
sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
Verify the setup is correct by running the getcap
command:
sudo getcap /opt/datadog-agent/bin/agent/agent
With the expected output:
/opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
Note: Re-run this setcap
command every time you upgrade the Agent.
Restart the Agent.
Here is how to troubleshoot some possible issues.
Data is not being collected:
Ensure traffic is bypassed from the configured port if the firewall is enabled.
Port already in use:
If you see the Port <PORT_NUMBER> Already in Use error, see the following instructions. The example below is for port 514:
- On systems using Syslog, if the Agent listens for Wazuh logs on port 514, the following error can appear in the Agent logs:
Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use
. This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:- Disable Syslog.
- Configure the Agent to listen on a different, available port.
For further assistance, contact Datadog support.