Extending Wazuh Detection with OpenSearch Integration#

Introduction#

While Wazuh provides comprehensive security monitoring capabilities out of the box, organizations often need to integrate with existing data analysis platforms for enhanced visualization and analytics. OpenSearch, an open source search and analytics engine, offers powerful capabilities for managing and visualizing security data.

Integrating Wazuh with OpenSearch provides:

🔍 Advanced Search: Leverage OpenSearch’s powerful search capabilities
📊 Custom Visualizations: Create tailored dashboards for specific use cases
🔄 Data Forwarding: Stream security events to existing analytics infrastructure
📈 Scalable Analytics: Handle large-scale security data analysis
🤝 Platform Integration: Combine Wazuh alerts with other data sources

Architecture Overview#

1
flowchart TB
2
    subgraph "Wazuh Infrastructure"
3
        WA[Wazuh Agents]
4
        WS[Wazuh Server]
5
        WI[Wazuh Indexer]
6
        WD[Wazuh Dashboard]
7
    end
8

9
    subgraph "Integration Layer"
10
        LS[Logstash]
11
        P1[Input Plugin<br/>opensearch]
12
        P2[Output Plugin<br/>opensearch]
13
    end
14

15
    subgraph "OpenSearch Infrastructure"
16
        OS[OpenSearch]
17
        OSD[OpenSearch Dashboards]
18
        IX[Custom Indices]
19
    end
20

21
    WA --> WS
22
    WS --> WI
23
    WI --> WD
24

25
    WI -->|Read Indices| P1
26
    P1 --> LS
27
    LS --> P2
28
    P2 -->|Write Data| OS
29
    OS --> IX
30
    IX --> OSD
31

32
    style LS fill:#51cf66
33
    style OS fill:#4dabf7
34
    style OSD fill:#ffd43b

Infrastructure Requirements#

For this integration, we’ll need:

Wazuh Server: CentOS 7 with Wazuh indexer and server 4.5.2
OpenSearch Server: Ubuntu 22.04 with OpenSearch 2.10.0
Logstash: Version 8.10 (installed on OpenSearch server)

Implementation Guide#

Phase 1: Install and Configure Logstash#

Installation#

1
# Install prerequisites
2
sudo apt-get install apt-transport-https
3

4
# Add Elastic repository
5
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg
6
echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | \
7
  sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
8

9
# Install Logstash
10
sudo apt-get update && sudo apt-get install logstash
11
sudo systemctl start logstash
12
sudo systemctl status logstash

Install Required Plugins#

1
# Install OpenSearch input and output plugins
2
sudo /usr/share/logstash/bin/logstash-plugin install \
3
  logstash-input-opensearch logstash-output-opensearch

Phase 2: Certificate Management#

Setup Certificate Directories#

1
# Create certificate directories
2
sudo mkdir /etc/logstash/wazuh-indexer-certs
3
sudo mkdir /etc/logstash/opensearch-certs
4

5
# Copy certificates (adjust paths as needed)
6
sudo cp /path/to/wazuh-root-ca.pem /etc/logstash/wazuh-indexer-certs/
7
sudo cp /path/to/opensearch-root-ca.pem /etc/logstash/opensearch-certs/
8

9
# Set permissions
10
sudo chmod -R 755 /etc/logstash/wazuh-indexer-certs/root-ca.pem
11
sudo chmod -R 755 /etc/logstash/opensearch-certs/root-ca.pem

Phase 3: Configure Logstash Pipeline#

Download Index Template#

1
# Create templates directory
2
sudo mkdir /etc/logstash/templates
3

4
# Download Wazuh template for OpenSearch
5
sudo curl -o /etc/logstash/templates/wazuh.json \
6
  https://packages.wazuh.com/integrations/opensearch/4.x-2.x/dashboards/wz-os-4.x-2.x-template.json

Configure Keystore#

1
# Set keystore password
2
set +o history
3
echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"' | sudo tee /etc/default/logstash
4
export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
5
set -o history
6

7
# Secure the file
8
sudo chown root /etc/default/logstash
9
sudo chmod 600 /etc/default/logstash
10
sudo systemctl restart logstash
11

12
# Create keystore
13
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
14

15
# Store credentials
16
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_USERNAME
17
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_PASSWORD
18
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME
19
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD

Create Pipeline Configuration#

Create /etc/logstash/conf.d/wazuh-opensearch.conf:

1
input {
2
  opensearch {
3
    hosts =>  ["<WAZUH_INDEXER_ADDRESS>:9200"]
4
    user  =>  "${WAZUH_INDEXER_USERNAME}"
5
    password  =>  "${WAZUH_INDEXER_PASSWORD}"
6
    index =>  "wazuh-alerts-4.x-*"
7
    ssl => true
8
    ca_file => "/etc/logstash/wazuh-indexer-certs/root-ca.pem"
9
    query =>  '{
10
        "query": {
11
            "range": {
12
                "@timestamp": {
13
                    "gt": "now-1m"
14
                }
15
            }
16
        }
17
    }'
18
    schedule => "* * * * *"
19
  }
20
}
21

22
output {
23
    opensearch {
24
        hosts => ["<OPENSEARCH_ADDRESS>"]
25
        auth_type => {
26
            type => 'basic'
27
            user => '${OPENSEARCH_USERNAME}'
28
            password => '${OPENSEARCH_PASSWORD}'
29
        }
30
        index  => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
31
        cacert => "/etc/logstash/opensearch-certs/root-ca.pem"
32
        ssl => true
33
        template => "/etc/logstash/templates/wazuh.json"
34
        template_name => "wazuh"
35
        template_overwrite => true
36
    }
37
}

Phase 4: Run and Test Logstash#

Test Configuration#

1
# Stop service
2
sudo systemctl stop logstash
3

4
# Test configuration
5
sudo -E /usr/share/logstash/bin/logstash \
6
  -f /etc/logstash/conf.d/wazuh-opensearch.conf \
7
  --path.settings /etc/logstash/

Run as Service#

1
# Enable and start service
2
sudo systemctl enable logstash
3
sudo systemctl start logstash

Phase 5: Configure OpenSearch Dashboards#

Create Index Pattern#

Navigate to ☰ > Management > Dashboards Management
Choose Index Patterns and select Create index pattern
Define wazuh-alerts-* as the index pattern name
Select timestamp as the primary time field
Click Create the index pattern

Verify Integration#

Navigate to ☰ > Discover to view Wazuh security data in the wazuh-alerts-4.x* index pattern.

Use Case: Docker Security Monitoring#

Overview#

We’ll demonstrate the integration’s value by monitoring Docker events and visualizing them with a custom dashboard in OpenSearch.

1
flowchart LR
2
    subgraph "Docker Host"
3
        D1[Docker Daemon]
4
        C1[Container 1]
5
        C2[Container 2]
6
        C3[Container N]
7
    end
8

9
    subgraph "Monitoring"
10
        WA[Wazuh Agent<br/>docker-listener]
11
        WS[Wazuh Server]
12
    end
13

14
    subgraph "Visualization"
15
        OS[OpenSearch]
16
        DD[Docker Dashboard]
17
    end
18

19
    D1 --> WA
20
    C1 --> WA
21
    C2 --> WA
22
    C3 --> WA
23

24
    WA --> WS
25
    WS --> OS
26
    OS --> DD
27

28
    style WA fill:#51cf66
29
    style DD fill:#ffd43b

Configure Docker Monitoring#

On CentOS Endpoint#

Install Prerequisites:

1
# Install Python and pip
2
sudo yum install python3 python3-pip
3

4
# Install Docker
5
sudo curl -sSL https://get.docker.com/ | sh
6
sudo systemctl start docker
7

8
# Install Python Docker library
9
sudo pip3 install docker==4.2.0

Enable Docker Listener Module:

Edit /var/ossec/etc/ossec.conf:

1
<ossec_config>
2
  <wodle name="docker-listener">
3
    <interval>10m</interval>
4
    <attempts>5</attempts>
5
    <run_on_start>yes</run_on_start>
6
    <disabled>no</disabled>
7
  </wodle>
8
</ossec_config>

Restart Wazuh Agent:

1
sudo systemctl restart wazuh-agent

Generate Docker Events:

1
# Pull and run containers
2
sudo docker pull nginx
3
sudo docker run -d -P --name nginx_container nginx
4

5
# Execute commands in container
6
sudo docker exec -it nginx_container cat /etc/passwd
7
sudo docker exec -it nginx_container /bin/bash
8
exit
9

10
# Stop and remove container
11
sudo docker stop nginx_container
12
sudo docker rm nginx_container
13
sudo docker rmi nginx

Import Docker Events Dashboard#

Download Dashboard File: Get the Wazuh Docker events dashboard for OpenSearch
Import in OpenSearch Dashboards:
- Navigate to Management > Dashboards management
- Click Saved Objects → Import
- Select the dashboard file and import
View Dashboard: Navigate to Dashboards to see Docker events visualization

Advanced Integration Patterns#

Multi-Pipeline Configuration#

Create separate pipelines for different data types:

1
input {
2
  opensearch {
3
    hosts => ["<WAZUH_INDEXER>:9200"]
4
    index => "wazuh-alerts-4.x-*"
5
    query => '{
6
      "query": {
7
        "bool": {
8
          "must": [
9
            { "range": { "@timestamp": { "gt": "now-5m" } } },
10
            { "term": { "rule.groups": "syscheck" } }
11
          ]
12
        }
13
      }
14
    }'
15
    schedule => "*/5 * * * *"
16
  }
17
}
18

19
output {
20
  opensearch {
21
    hosts => ["<OPENSEARCH>"]
22
    index => "wazuh-fim-%{+YYYY.MM.dd}"
23
    # ... other settings
24
  }
25
}

Data Enrichment Pipeline#

1
filter {
2
  # Add GeoIP information
3
  if [data][srcip] {
4
    geoip {
5
      source => "[data][srcip]"
6
      target => "[data][geoip]"
7
    }
8
  }
9

10
  # Add custom fields
11
  mutate {
12
    add_field => {
13
      "environment" => "production"
14
      "processed_by" => "logstash"
15
    }
16
  }
17

18
  # Parse user agent strings
19
  if [data][http][user_agent] {
20
    useragent {
21
      source => "[data][http][user_agent]"
22
      target => "[data][user_agent_parsed]"
23
    }
24
  }
25
}

Performance Optimization#

Buffer Configuration#

1
output {
2
  opensearch {
3
    hosts => ["<OPENSEARCH>"]
4
    index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
5

6
    # Buffer settings
7
    flush_size => 5000
8
    idle_flush_time => 5
9

10
    # Connection pooling
11
    pool_max => 50
12
    pool_max_per_route => 25
13

14
    # Retry configuration
15
    retry_on_conflict => 5
16
    retry_max_interval => 10
17
    retry_initial_interval => 2
18
  }
19
}

Resource Allocation#

1
-Xms2g
2
-Xmx2g
3

4
# Pipeline settings
5
# /etc/logstash/pipelines.yml
6
- pipeline.id: wazuh-opensearch
7
  path.config: "/etc/logstash/conf.d/wazuh-opensearch.conf"
8
  pipeline.workers: 4
9
  pipeline.batch.size: 1000
10
  pipeline.batch.delay: 50

Monitoring and Troubleshooting#

Pipeline Monitoring#

1
# Check Logstash pipeline stats
2
curl -XGET 'localhost:9600/_node/stats/pipelines?pretty'
3

4
# Monitor Logstash logs
5
tail -f /var/log/logstash/logstash-plain.log
6

7
# Check OpenSearch indices
8
curl -XGET 'https://<OPENSEARCH>:9200/_cat/indices/wazuh-*?v'

Common Issues and Solutions#

Issue 1: No Data in OpenSearch#

1
# Verify Wazuh indexer connectivity
2
curl -k -u admin:admin https://<WAZUH_INDEXER>:9200/_cat/indices?v
3

4
# Check Logstash input
5
sudo -E /usr/share/logstash/bin/logstash \
6
  -e 'input { opensearch { hosts => ["<WAZUH_INDEXER>:9200"]
7
       index => "wazuh-alerts-*" } }
8
       output { stdout { codec => rubydebug } }'

Issue 2: SSL Certificate Errors#

1
# Temporary workaround (not for production)
2
output {
3
  opensearch {
4
    ssl_certificate_verification => false
5
    # ... other settings
6
  }
7
}

Issue 3: Performance Issues#

1
# Increase heap size
2
sudo sed -i 's/-Xms1g/-Xms4g/g' /etc/logstash/jvm.options
3
sudo sed -i 's/-Xmx1g/-Xmx4g/g' /etc/logstash/jvm.options
4

5
# Restart Logstash
6
sudo systemctl restart logstash

Best Practices#

1. Security Hardening#

1
# Secure certificate storage
2
certificates:
3
  strict_permissions: true
4
  verification_mode: full
5

6
# Network isolation
7
firewall_rules:
8
  - source: logstash_server
9
    destination: wazuh_indexer
10
    port: 9200
11
    protocol: tcp
12

13
  - source: logstash_server
14
    destination: opensearch_cluster
15
    port: 9200
16
    protocol: tcp

2. Data Retention Policy#

1
# Create index lifecycle policy
2
PUT _plugins/_ism/policies/wazuh-retention
3
{
4
  "policy": {
5
    "description": "Wazuh data retention policy",
6
    "default_state": "hot",
7
    "states": [
8
      {
9
        "name": "hot",
10
        "actions": [],
11
        "transitions": [
12
          {
13
            "state_name": "warm",
14
            "conditions": {
15
              "min_index_age": "7d"
16
            }
17
          }
18
        ]
19
      },
20
      {
21
        "name": "warm",
22
        "actions": [
23
          {
24
            "replica_count": {
25
              "number_of_replicas": 1
26
            }
27
          }
28
        ],
29
        "transitions": [
30
          {
31
            "state_name": "delete",
32
            "conditions": {
33
              "min_index_age": "30d"
34
            }
35
          }
36
        ]
37
      },
38
      {
39
        "name": "delete",
40
        "actions": [
41
          {
42
            "delete": {}
43
          }
44
        ]
45
      }
46
    ]
47
  }
48
}

3. Monitoring Best Practices#

1
monitoring_checklist:
2
  - metric: pipeline_throughput
3
    threshold: "> 1000 events/sec"
4
    action: scale_horizontally
5

6
  - metric: indexing_latency
7
    threshold: "< 100ms"
8
    action: optimize_bulk_settings
9

10
  - metric: error_rate
11
    threshold: "< 1%"
12
    action: investigate_failures

Custom Visualizations#

Creating Security Dashboards#

1
{
2
  "visualization": {
3
    "title": "Wazuh Security Events Timeline",
4
    "visState": {
5
      "type": "line",
6
      "params": {
7
        "grid": {
8
          "categoryLines": false,
9
          "style": {
10
            "color": "#eee"
11
          }
12
        },
13
        "categoryAxes": [{
14
          "id": "CategoryAxis-1",
15
          "type": "category",
16
          "position": "bottom",
17
          "show": true,
18
          "style": {},
19
          "scale": {
20
            "type": "linear"
21
          },
22
          "labels": {
23
            "show": true,
24
            "truncate": 100
25
          },
26
          "title": {}
27
        }],
28
        "valueAxes": [{
29
          "id": "ValueAxis-1",
30
          "name": "LeftAxis-1",
31
          "type": "value",
32
          "position": "left",
33
          "show": true,
34
          "style": {},
35
          "scale": {
36
            "type": "linear",
37
            "mode": "normal"
38
          },
39
          "labels": {
40
            "show": true,
41
            "rotate": 0,
42
            "filter": false,
43
            "truncate": 100
44
          },
45
          "title": {
46
            "text": "Event Count"
47
          }
48
        }],
49
        "seriesParams": [{
50
          "show": true,
51
          "type": "line",
52
          "mode": "normal",
53
          "data": {
54
            "label": "Security Events",
55
            "id": "1"
56
          },
57
          "valueAxis": "ValueAxis-1",
58
          "drawLinesBetweenPoints": true,
59
          "showCircles": true
60
        }]
61
      }
62
    }
63
  }
64
}

Alert Correlation Dashboard#

1
// Custom OpenSearch query for correlation
2
GET wazuh-alerts-*/_search
3
{
4
  "size": 0,
5
  "aggs": {
6
    "correlations": {
7
      "composite": {
8
        "sources": [
9
          { "agent": { "terms": { "field": "agent.name" } } },
10
          { "rule": { "terms": { "field": "rule.id" } } }
11
        ]
12
      },
13
      "aggs": {
14
        "alert_count": {
15
          "value_count": {
16
            "field": "_id"
17
          }
18
        },
19
        "severity_stats": {
20
          "stats": {
21
            "field": "rule.level"
22
          }
23
        }
24
      }
25
    }
26
  }
27
}

Integration Use Cases#

1. Compliance Monitoring#

1
# Compliance-specific pipeline
2
input {
3
  opensearch {
4
    hosts => ["<WAZUH_INDEXER>:9200"]
5
    index => "wazuh-alerts-4.x-*"
6
    query => '{
7
      "query": {
8
        "bool": {
9
          "should": [
10
            { "exists": { "field": "rule.pci_dss" } },
11
            { "exists": { "field": "rule.gdpr" } },
12
            { "exists": { "field": "rule.hipaa" } }
13
          ]
14
        }
15
      }
16
    }'
17
    schedule => "*/10 * * * *"
18
  }
19
}
20

21
output {
22
  opensearch {
23
    hosts => ["<OPENSEARCH>"]
24
    index => "wazuh-compliance-%{+YYYY.MM}"
25
    # ... configuration
26
  }
27
}

2. Threat Intelligence Integration#

1
filter {
2
  # Enrich with threat intelligence
3
  translate {
4
    field => "[data][srcip]"
5
    destination => "[threat][classification]"
6
    dictionary_path => "/etc/logstash/threat_intel.yml"
7
  }
8

9
  # Add threat score
10
  ruby {
11
    code => "
12
      if event.get('[threat][classification]')
13
        threat_scores = {
14
          'malicious' => 10,
15
          'suspicious' => 7,
16
          'unknown' => 5
17
        }
18
        event.set('[threat][score]',
19
          threat_scores[event.get('[threat][classification]')] || 0)
20
      end
21
    "
22
  }
23
}

3. Multi-Tenant Deployment#

1
# Route alerts to tenant-specific indices
2
filter {
3
  # Determine tenant based on agent metadata
4
  if [agent][labels][tenant] {
5
    mutate {
6
      add_field => { "[@metadata][tenant]" => "%{[agent][labels][tenant]}" }
7
    }
8
  } else {
9
    mutate {
10
      add_field => { "[@metadata][tenant]" => "default" }
11
    }
12
  }
13
}
14

15
output {
16
  opensearch {
17
    hosts => ["<OPENSEARCH>"]
18
    index => "wazuh-%{[@metadata][tenant]}-%{+YYYY.MM.dd}"
19
    # ... configuration
20
  }
21
}

Performance Metrics#

Key Performance Indicators#

1
kpi_monitoring:
2
  pipeline_metrics:
3
    - events_received_rate
4
    - events_filtered_rate
5
    - events_out_rate
6
    - queue_push_duration
7
    - queue_backpressure
8

9
  opensearch_metrics:
10
    - indexing_rate
11
    - indexing_latency
12
    - search_latency
13
    - disk_usage
14
    - heap_usage
15

16
  system_metrics:
17
    - cpu_usage
18
    - memory_usage
19
    - network_throughput
20
    - disk_io

Optimization Strategies#

Batch Processing: Optimize batch sizes for throughput
Index Sharding: Distribute data across multiple shards
Query Optimization: Use filters instead of queries where possible
Resource Allocation: Scale vertically or horizontally based on load

Alternative Integration Method#

Direct Wazuh Server Integration#

For resource-constrained environments, you can forward alerts directly from the Wazuh server:

1
<ossec_config>
2
  <global>
3
    <jsonout_output>yes</jsonout_output>
4
    <logall_json>yes</logall_json>
5
  </global>
6

7
  <output>
8
    <name>opensearch-output</name>
9
    <format>json</format>
10
    <server>logstash.example.com</server>
11
    <port>5000</port>
12
  </output>
13
</ossec_config>

Conclusion#

Integrating Wazuh with OpenSearch through Logstash provides a powerful solution for organizations seeking to:

✅ Enhance visualization capabilities beyond standard dashboards
📊 Combine security data with other organizational data
🔄 Maintain flexibility in data processing and storage
📈 Scale analytics infrastructure independently
🛡️ Preserve existing OpenSearch investments

This integration enables security teams to leverage the best of both platforms while maintaining operational efficiency.

Key Takeaways#

Plan Architecture: Design pipeline architecture based on data volume and requirements
Secure Communications: Always use SSL/TLS for data in transit
Monitor Performance: Track pipeline metrics to ensure optimal operation
Optimize Resources: Tune Logstash settings based on workload
Document Configuration: Maintain clear documentation of all integrations

Resources#

Extend your security monitoring capabilities with Wazuh and OpenSearch integration! 🚀🔍