Wazuh Reviews

We are using Wazuh for security information and event management, PCI DSS compliance, auditing, real-time sensitive monitoring, and meeting regulatory requirements.

There were certain tasks we couldn't carry out before. However, with Wazuh, we found a solution within a single platform. It only required a one-time effort to set up and configure the version. After that, it's just about monitoring the alerts and making revisions. No additional efforts are needed.

The most valuable features include file integrity monitoring, Wazuh engines, Wazuh rulesets (including rulesets for Apache and firewall routers), and vulnerability detection.

There is room for improvement in Wazuh, but it's possible they are already working on it. The only challenge we faced with Wazuh was the lack of direct support. They charge for support, whether it's five days a week or seven days a week. We don't expect it to be free because revenue is generated through the support they provide. 

In future releases, I would like to see a feature. There is one feature we observed in a premium tool in the industry called Dynatrace. It provides automatic relations between different devices and components. For instance, if you receive a web login request, Dynatrace can trace and show you the path it takes from the firewall to the switch, then to the Apache server, the actual job application, and finally back to the client. It intelligently correlates all the components involved in a single event. 

If Wazuh could include this feature, where all the components are integrated, it would automatically relate them for any activity in your environment.

We have been working with Wazuh for the last year. We currently use the latest version.

Sometimes, it has disturbances, but at the end of the day, it's not Wazuh but, actually, the configurations that engineers do sometimes do not have compatibility. So at that time, we face issues, but as of now, Wazuh has not disappointed us in any way.

It is scalable. We can add a new machine or server, install the components, and inform the other components about its IP address. We add it to the cluster, and a restart of the cluster is all that's needed to integrate the new component.

While there are many people involved, only three or four security engineers manage and oversee the events collected and provided by Wazuh.

We used Splunk primarily for log management purposes. There were no extra security modules or playbooks involved. We indexed the logs, built dashboards, generated reports, and set up alerts. That was the extent of our usage, without any additional security features.

The initial setup was not complex. We had prior experience with Elastic and Elk, so the deployment of Wazuh was quite familiar to us. It wasn't a major challenge.

However, we do need maintenance as we need to upgrade the version periodically. During maintenance, we have to switch off all the endpoints, turn off all the components, and then power off one by one to upgrade them to the latest version. This is done during a maintenance window.

One or two engineers are usually enough to handle the maintenance tasks.

In terms of the deployment plan, if we exclude the endpoints (monitored servers), we have multiple nodes for each component: indexer, manager, and dashboard. We also implemented an NGINX-based load balancer, following the documentation provided by Wazuh on configuring NGINX as a load balancer. This helps in load disturbance and redundancy, so we don't have a single point of failure when any server goes down.

The deployment process took approximately one to two weeks to fully test and deploy the system. We had to spend time on research and development to properly configure everything. The resources mainly involved Linux servers. There were not many additional resources involved beyond that.

We evaluated LogRhythm, which is an excellent intelligence-based tool. However, it comes with a high cost for the intelligence features. Wazuh lacks AI or machine learning capabilities, but otherwise, it has all the necessary capabilities for a similar solution.

I would advise you to carefully follow the documentation. It is straightforward and to the point. If any issues arise, the Wazuh Slack community is highly active and responsive. They can provide assistance within 24 hours or even less, helping with any deployment or management challenges.

Wazuh offers numerous features, such as the ability to define custom rules for detecting malicious activities and remembering behaviors. Unlike some paid tools, Wazuh is extensive and extendible and allows integration with open-source tools and scripts. It is flexible, reliable, and open-source, which is its biggest advantage. 

Overall, it is a good solution. I would rate the solution a nine out of ten. Considering that Wazuh is open source and free of cost while providing all the necessary features, I would rate it nine or ten. I lean towards ten because it offers a comprehensive solution without any financial burden. However, compared to industry leaders like LogRhythm and Splunk, which have machine learning modules, Wazuh lacks in that aspect. So, overall, I would rate it nine, but because of its cost-effectiveness, it deserves a ten.

Wazuh is very good. It offers the ability to measure and benchmark your environment to one of the standards. We installed it on the customer's premises and benchmarked it against CIS controls. We are not in a big environment, and we haven't tested Wazuh for long.

The main thing I like about it is that it has an EDR. Other than that, I like that it allows us to benchmark against the standard. It even suggests ways to improve things. Wazuh helps us to research how we can meet the benchmark.

What I also like about Wazuh is that you can deploy the agents in Linux and Unix environments, such as HP, IBM, and Oracle servers. Those servers use UX and AIX environments. The solution has Solaris agents, too. It has agents for all platforms.

I have yet to find the same capability in Wazuh to get logs from different sources into the system. I haven't been able to explore that.

There are many functions I want to add. For example, I want to get feeds from different places through threat intelligence. If the feature is there, it needs to be matured. Threat intelligence is key to the use case I've deployed the solution for. It would be good if Wazuh correlated it with the internal and external feeds. Integrating Wazuh with other platforms is a key aspect.

I recently started using Wazuh. It's been about two months.

I rate Wazuh's stability a seven out of ten. It's stable. It's been working so far, and I have no reason to complain.

We have 20 endpoints on Wazuh and two or three administrators for now managing the solution.

I used an old SIEM before Wazuh. Wazuh is more stable. I preferred Wazuh because it's open source. The old SIEM is closing in on the product, though.

The initial setup is really simple. It took three hours to deploy Wazuh.

I implemented Wazuh myself since I'm an experienced administrator.

We use the free version of Wazuh. We will eventually move on to the commercial version.

I did some research, but I didn't test. The research was based on user opinions. I saw that most people have tested Wazuh. You can easily get resources online to help you to use the product. Wazuh is getting more popular. If you have a problem, you are not on your own.

Another solution we evaluated was Security Onion, but it was based on a platform that may be at the end of its life, which is Linux Red Hat. Linux Red Hat seems to be on shaky ground, and we don't know where it's headed. We wanted something that provides a roadmap that is not ending soon.

We're still in a test phase with Wazuh. I'm testing integration with the tools that other tools that we are using in a clustered environment. We can adapt the solution on the way forward.

I rate Wazuh a seven out of ten.

We use it to find any aberration in our endpoint devices. For example, if someone installs a game on their company laptop, Wazuh will detect it and inform us of the unauthorized software or unintended use of the devices provided by the company. 

So it can detect more than just games. You can customize it to detect specific software. We have a whitelist of approved software, and Wazuh compares it with the software installed on the device. If there are any mismatches, it reports it to us. So, for instance, we can whitelist Facebook, Blackboard, and YouTube.

Since it's an open-source tool, scalability is the main issue. We haven't paid for it, so if we want to scale it, we would need to purchase the enterprise version, which can be quite expensive. So scalability and limited support are the main limitations of the free version.

We started in December, so it has been six months now. We are using the open-source version of Wazuh.

Eight of us in the security team are using Wazuh.

We are not allowed to contact the support team on a one-on-one basis in the free version. However, we can post our queries in the community forum, where other users share their experiences and provide assistance.

The initial setup was pretty straightforward. They provide documentation that guides us through the process.

We are using the cloud version. We have deployed it on GCP (Google Cloud Platform).

So if budget is not an issue, you should consider other options. And if you want to save costs, the open-source or Wazuh enterprise would be suitable.

Wazuh is a good tool, but the open-source version has scalability limitations.

If you have the budget, I would suggest looking into other options. However, if you want to secure your endpoints without significant investment, Wazuh is a good tool. Just keep in mind that it may not scale well beyond a few thousand devices.

I would rate the open-source version as five out of ten.

I use this product as an integrity marketing solution in the financial sector. We are users of Wazuh and I'm head of information security. 

The product is good for security-related features like monitoring, active response, and for vulnerabilities. I'm currently using the whole feature setup for Azure, from A to Z, everything. Wazuh enables me to monitor my whole infrastructure. I have Windows Linux and the firewalls are also integrated with Wazuh. 

The rules are very difficult because there are some limitations such as the inability to correlate two events. It should be easy to edit or change, but it can't be done. They are technical issues and I'm assuming they will be fixed over time.  

I've been using this solution for four years. 

The solution is stable. 

The solution is highly scalable but from a deployment perspective, it's quite difficult. We have five internal users and around 200 agents using the solution. 

I haven't used the customer support because I'm using the open source version. 

The initial setup can be complex. It's not a smooth process and I need an expert system engineer to deploy it in a clustered environment. 

There's no licensing fee because we're using the open-source version. 

I like this product and the fact that we're getting everything for free. However, it's a complex solution to deploy and manage and that's a pain point for us so I deduct two points and rate it eight out of 10. 

I use Wazuh as an open-source solution for SIEM and file integrity monitoring. I have conducted a few POCs in the bank sectors, as well as demos specifically regarding SIEM. 

In Pakistan, we have a state bank that controls the regularities. The banking sector wants to save money and is only interested in compliance. Our company helps them with this. Wazuh is used for file integrity monitoring on Unix, Linux, and Windows systems.

Wazuh is available on the cloud, however,  it depends on the customer. I work with the financial sector, which does not want its data to be on a public or private cloud.

I find the PCI DSS feature the most valuable, along with the feature that monitors the compliance of Windows and the CIS benchmarks on other devices like Unix or Linux systems. 

There are three other features I find valuable. First, Wazuh helped me harden the appliances. Second, Wazuh gives me the opportunity to check the hardness through the CIS benchmarks and the other controls, such as Windows auditing policies. On the other hand, I have found it to be more useful for the PCI DSS compliance as it gives a very clear view regarding the benchmark of the PCI DSS. Last, Wazuh is most famous for the SIEM. The solution gives integrity monitoring for the specific file and updates on the real-time monitoring if the hashes change.

Wazuh has a drawback with regard to Unix systems. The solution does not allow us to do real-time monitoring for Unix systems. If usage increases, it would be a heavy fall on the other SIEM solutions or event monitoring solutions. 

We found a workaround by reducing the frequency, so it would give us some sort of real-time monitoring.

I have been using Wazuh for four months. 

Wazuh is stable, however, at the start, I did face many difficulties managing the solution. We have a private lab in our office and the server is turned down each day. At the start of the next day, I would face an issue with our Elasticsearch not completely being loaded and the Kibana not loaded.

The solution is quite scalable. 

The initial setup of Wazuh is straightforward. I was able to implement this by following the documentation. I downloaded the CentOS OS appliance, which takes a few minutes, and then another ten to twenty minutes to upload and give it the IP address and network. It takes only one integrator like me to deploy everything.

Implementation of Wazuh depends on the organization, specifically, if the organization is on Azure Active Directory, or if it's just a normal Active Directory. 

When I implement the solution, I will never go on the agent-based implementation, I will do centralized implementation which is provided by Wazuh. Using the create agent part, I have a power shell script for Windows or a different script for either Linux or Unix. 

I give the script to the administrator and request them to push it directly on the systems, so within a few seconds I can see on the Wazuh dashboards that the agents are active. This allows me to manage them through centralized groups. It would not be recommended to push every script and change every file on the final device.

Wazuh is open-source, therefore it is free. You can purchase support for $1,000 a year.

My advice to someone considering Wazuh would depend on if they are using the open-source solution or not. If they are using open-source, I recommend that they purchase the support from Wazuh. Be prepared to be patient and wait for the services to be completely up. Once it is up, you are free to use it.

I would rate this solution an eight out of ten.

The solution can be used for monitoring changes on the endpoint of machines. It focuses mostly on endpoints and the dangers that may come through. 

They are very good for endpoint security monitoring. 

Windows machine monitoring is good. It's very easy to track threats. 

It's very capable of finding even low-level threats on endpoint machines.

If they support a solution, it is easy to do an integration.

The solution is stable and reliable.

It can scale.

There is lots of good documentation.

The setup is easy.

I don't have any notes for new features. 

When it comes to interfacing with some other applications, it could be better. It could have better integration capabilities. They need to go towards integrating with more cloud applications and not just OS like Windows and Linux. 

I've been using the solution for seven years. 

The solution is stable and reliable. There were no bugs or glitches when I used it. I haven't used it for a while. However, I never had trouble, and we had very minimal issues. 

The solution is very scalable. It can extend well. That said, it is not a solution for banks. There could be some limitations in different sectors. 

We primarily use the solution ourselves within our own teams. 

I've never contacted technical support. Most of the documentation is helpful, and that helps me avoid reaching out. 

I stopped using Wazuh for a while. I'm not a regular user, and I am changing companies. I may be using a new product.

The solution is pretty straightforward. All solutions of this nature have a very similar setup. The length of time depends on the number of endpoint machines. 

I can often do the setup by myself. However, I sometimes ask the network engineers for support. That said, doing the installation itself only really takes one person. 

I can do the initial setup by myself. 

It's a good solution for SMEs. It may not be ideal for enterprise-level companies. 

I'd rate the solution eight out of ten. 

We're using it in our company as well as our customer's companies. 

It is usually used for SIM and log collection and licenses.

The vulnerability assessment and scoring of Wazuh is the most important feature that we have found. 

It also integrates well with Windows and different types of operating systems as well, so we found it very easy to deploy.

It is stable. 

The deployment is easy, and they provide very good documentation.

It can scale well.

Technical support is quite helpful.

We would like to see more improvements on the cloud. They need better cloud integration. We already have it on the latest version. However, we have yet to upgrade it. We'd like to see more overall integration support. That includes integration with cloud providers and more API-based integration, which would be helpful for lots of other integrations as well.

The active response needs to be better. I hope they create something on the front end. We have to do a lot of backend coding in Wazuh for active response. That's the major thing that we would like to see to improve it.

We've been using the solution for around one year.

The product is very stable. We have had it deployed for more than six months and we deployed that product on our premises and also on the customer's end. We haven't found any performance issues so far.

As far as I can see, it is scalable. 

We've deployed it in a Kubernetes cluster, and Wazuh works in a clustered environment. It is a cluster-aware product. We can scale it as much as we want to in the future.

Right now, our SOC Analyst team, which is around 11 to 15 people, as well as a few customers, are using the solution currently. 

Technical support is very extensive. We had a long conversation regarding some role-based access control with their team, and they were really helpful, and the support was really good, even though we were using the open-source version of that product.

We did previously use Alien Vault. There are some licensing obligations, so it's a bit difficult to maintain. We also preferred using an open-source option.

It is very easy to deploy and works well with different types of operating systems. 

They provide very good documentation, and they also have got it in containers, so it was very easy to set up.

The overall agent installation and the server installation took maybe half an hour.

We're using the open-source version, and their licensing is fairly straightforward. We do not have to worry about any other monitoring matters since we are using the pre-version.

We're customers. We're using multi-tenant and have companies that are mostly SMEs. We also have a few enterprises as well. 

My advice to new users is that you should do extensive research and need a system team in your company to deploy, configure, and set up everything. Other than that, it's a highly recommended product from our side, and we wish that this product had intel support. I hope that it improves in the future as well.

According to the use case scenario we have, I would rate it an eight out of ten.

My company uses Wazuh in our lab environment, where we have 100 endpoints.

The tool does not provide CTI to monitor darknet. In the future, I want the tool to provide CTI to monitor the darknet so that by creating a single query, I can monitor the darknet.

I have been using Wazuh for a year. I am an end user of the solution.

Stability-wise, I rate the solution a five or six out of ten.

My company has a problem with the stability of the product because we don't have a high-availability architecture. The fact that my company does not have a high availability architecture might be our company's problem.

Around three security operators in my company use the product.

Though I want the use of the product to be increased in the company, the decision to do so lies in the hands of the management.

I have not contacted the tool's support team. If my company contacts the product's support team, it would be easier for our company to deal with the product's areas like deployment and usage. In the upcoming year, I would like to use the commercial tech support offered by the product.

Previously, I have used IBM QRadar, SentinelOne, and Splunk, which were all very expensive products.

My company started to use Wazuh considering its low prices compared to other solutions.

I rate the product's initial setup phase an eight or nine on a scale of one to ten, where one is difficult, and ten is easy. Wazuh is a very simple tool.

The solution is deployed on a private cloud.

It is difficult to comment on how much time is required to deploy the product since there is always a need to add new log sources and integration. The solution can be deployed in a few days so that the testing phase can be carried out.

Wazuh is a cheaply priced product.

The product has been implemented in my company's environment for threat direction straight out of the box through a simple implementation process.

My company uses the product for threat detection and to create and tune playbooks with roles. My company uses the product in our lab environment, so it's not used for production, which makes it easier for us to deal with the tuning part of the product.

The product helps our company's ability to comply with industry standards since we use the CIS benchmark for hardening GDPR compliance.

My company uses the product for event analysis. My company uses Wazuh as a SIEM solution.

My company uses the product for many of our use cases, and we also deal with the configuration part of the tool. My company is trying to tune the product, and it is possible to use it for event analysis with Wazuh. The product is effective in terms of event analysis.

The integration capabilities of the product with other tools, like FortiGate and NetFlow, are good.

More time is required for me to be able to see how the product's scalability can impact our company's environment.

The product is easy to customize. The product provides good setup documentation regarding the language to be used to use the product's customization abilities. The product offers a good level of documentation along with a good online community. On the internet, it is easier to get information about any problem or issue users face with the tool.

I recommend the product be used in a team with fewer members for security operations. The tool can be used if you work in areas like security and administration, where it can be easily used and implemented.

I rate the tool an eight out of ten.