I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.
The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.
Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.
It would be great to be able to use VictoriaLogs underneath instead of Elasticsearch. This would simplify the configuration and maintenance, since VictoriaLogs works optimally with default configs on any hardware. This will also help reducing hardware costs for large amounts of stored security logs, since VictoriaLogs usually needs up to 30x less RAM and up to 15x less disk space than Elasticsearch for the same amounts of logs. See https://itnext.io/how-do-open-source-solutions-for-logs-work... for details.
Kicked the tires on it, but the agent requirement was a no-go for me. Coming from Enterprise Infrastructure, mandating Yet Another Agent is already knocking your product down several grades versus those leveraging OpenTelemetry or standardized collectors and forwarders.
An agentless Nessus scan (man, I miss Nessus) gets you 90% of the way there for all but the most security-conscious organizations, and its agent is honestly kind of light and simple if I have to install it.
Wazuh does much more than Nessus, for instance you can instruct the agent to temporarily drop networking if you identify a compromised machine. Agentless scans will do nothing of the like.
I appreciate the different feature sets, but there's almost always another endpoint agent you can build that behavior onto/through in the modern enterprise. Posture control isn't exactly a unique feature, and my original opinion still stands: between CrowdStrike, Tanium, SentinelOne, Defender, AirWatch, New Relic, and OpenTelemetry, I've seen a web of similar-ish feature sets with agents alone consuming upwards of 10% of the machine's CPU power just in the background.
What's worse, Wazuh doesn't even fully replace any of those above agents, meaning it has to be yet another complimentary agent on the machine. No thanks, when New Relic + OpenTelemetry can feed me all of the machine's logs and monitoring statistics, while a competent ITAM/ITSM can alert on out-of-bounds posture and trigger network or Identity systems to shutdown access. Hell, I'm old enough to remember when basic log forwarding and SNMP traps were all that was needed to effectively monitor machines, before developers and vendors began locking stuff up behind new APIs or services they could monetize better.
Don't get me wrong, I want Wazuh to succeed because nobody should have to shell out thousands of dollars a month for basic security posturing and monitoring; right now though, Wazuh ain't it.
I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.
Readit News
[1] - https://www.ossec.net/
I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.
The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.
An agentless Nessus scan (man, I miss Nessus) gets you 90% of the way there for all but the most security-conscious organizations, and its agent is honestly kind of light and simple if I have to install it.
What's worse, Wazuh doesn't even fully replace any of those above agents, meaning it has to be yet another complimentary agent on the machine. No thanks, when New Relic + OpenTelemetry can feed me all of the machine's logs and monitoring statistics, while a competent ITAM/ITSM can alert on out-of-bounds posture and trigger network or Identity systems to shutdown access. Hell, I'm old enough to remember when basic log forwarding and SNMP traps were all that was needed to effectively monitor machines, before developers and vendors began locking stuff up behind new APIs or services they could monetize better.
Don't get me wrong, I want Wazuh to succeed because nobody should have to shell out thousands of dollars a month for basic security posturing and monitoring; right now though, Wazuh ain't it.
What was it specifically that made it a "maint burden of the first order?"
I have built from ground up 2 SIEMS.
What SIEM did you move to that was less of a burden?
I appreciate you.
Source? The value a SIEM provides these days is mostly the out of the box integrations and log parses. Wazuh is far from that, IME.
The maintenance is huge, you need to hunt for rulesets, the EDR is half baked, etc.