Monitoring Linux Resource Usage with Wazuh#

Introduction#

Monitoring Linux resources is crucial for optimizing performance and securing an organization’s infrastructure. By maintaining comprehensive visibility into system resource utilization, organizations can proactively identify performance bottlenecks, detect potential security threats, and ensure reliable service delivery. Abnormal resource usage patterns often indicate ongoing malicious activities, making resource monitoring an essential component of security operations.

Wazuh, an open source security platform, provides powerful capabilities for monitoring Linux system resources through its command monitoring module. This integration enables:

🔍 Real-time Metrics Collection: Track CPU, memory, disk, and network usage
📊 Custom Visualizations: Build interactive dashboards for performance analysis
🚨 Proactive Alerting: Detect resource anomalies before they impact services
📈 Historical Analysis: Identify trends and patterns in resource consumption
🛡️ Security Insights: Correlate resource usage with potential threats

Linux Performance Metrics#

Understanding Key Metrics#

1. CPU Usage#

CPU usage represents the percentage of time the processor spends on non-idle tasks. Linux categorizes CPU time into several components:

1
top -bn1 | grep Cpu
2
# Output: %Cpu(s):  6.6 us,  2.0 sy,  0.0 ni, 91.3 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st

Components:

us (user): Time running user processes
sy (system): Time running kernel operations
ni (nice): Time running nice priority processes
id (idle): Time spent idle
wa (iowait): Time waiting for I/O operations
hi (hardware interrupts): Time handling hardware interrupts
si (software interrupts): Time handling software interrupts
st (steal): Time stolen by hypervisor (virtualization)

Calculation:

1
Idle = idle + iowait
2
NonIdle = user + system + nice + hardirq + softirq + steal
3
Total = Idle + NonIdle
4
CPU Utilization (%) = (NonIdle / Total) * 100

2. CPU Load#

CPU load measures the average number of processes in the run queue:

1
uptime
2
# Output: 10:31:03 up  8:42,  2 users,  load average: 2.53, 2.61, 2.84

Where:

2.53 = 1-minute load average
2.61 = 5-minute load average
2.84 = 15-minute load average

3. Memory Utilization#

Memory usage shows the percentage of RAM currently in use:

1
free
2
#           total     used      free     shared     buff/cache     available
3
# Mem:      15Gi      7.1Gi     6.1Gi    940Mi      2.2Gi          7.0Gi
4
# Swap:     2.0Gi     945Mi     1.1Gi

Calculation:

1
Memory Utilization (%) = 100 - (((MemFree + Buffers + Cached) * 100) / TotalMemory)

4. Disk Usage#

Disk usage indicates the percentage of storage space occupied:

1
df -h /
2
# Filesystem       Size    Used    Avail   Use%   Mounted on
3
# /dev/nvme0n1p2   528G    390G    112G    78%    /

Calculation:

1
Disk Utilization (%) = (DiskUsed / DiskTotal) * 100

Architecture Overview#

1
flowchart TB
2
    subgraph "Linux System"
3
        S1[System Commands]
4
        S2[top, free, df, uptime]
5
        S3[Command Output]
6
    end
7

8
    subgraph "Wazuh Agent"
9
        C1[Command Module]
10
        C2[Log Format]
11
        C3[Event Generation]
12
    end
13

14
    subgraph "Wazuh Server"
15
        D1[Decoders]
16
        R1[Rules Engine]
17
        A1[Alert Generation]
18
        T1[Template]
19
    end
20

21
    subgraph "Wazuh Indexer"
22
        I1[Index Pattern]
23
        I2[Field Mapping]
24
        I3[Data Storage]
25
    end
26

27
    subgraph "Wazuh Dashboard"
28
        V1[Visualizations]
29
        DB1[Dashboards]
30
        AL1[Alerts]
31
    end
32

33
    S1 --> S2
34
    S2 --> S3
35
    S3 --> C1
36
    C1 --> C2
37
    C2 --> C3
38
    C3 --> D1
39
    D1 --> R1
40
    R1 --> A1
41
    A1 --> I1
42
    I1 --> I2
43
    I2 --> I3
44
    I3 --> V1
45
    I3 --> DB1
46
    I3 --> AL1
47

48
    style C1 fill:#51cf66
49
    style I2 fill:#4dabf7
50
    style DB1 fill:#ffd43b

Implementation Guide#

Prerequisites#

Wazuh Server: Pre-built OVA 4.12 with all components
Ubuntu Endpoint: Ubuntu 24.04 with Wazuh agent installed
Permissions: Root access for configuration changes

Phase 1: Configure Command Monitoring#

Edit /var/ossec/etc/ossec.conf on the Ubuntu endpoint and add within the <ossec_config> block:

1
<!-- CPU, memory, disk metric -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>echo $(top -bn1 | grep Cpu | awk '{print $2+$4+$6+$12+$14+$16}' ; free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2 }' ; df -h | awk '$NF=="/"{print $5}'|sed 's/%//g')</command>
5
  <alias>general_health_metrics</alias>
6
  <out_format>$(timestamp) $(hostname) general_health_check: $(log)</out_format>
7
  <frequency>30</frequency>
8
</localfile>
9

10
<!-- load average metrics -->
11
<localfile>
12
  <log_format>full_command</log_format>
13
  <command>uptime | grep load | awk '{print $(NF-2),$(NF-1),$NF}' | sed 's/\,\([0-9]\{1,2\}\)/.\1/g'</command>
14
  <alias>load_average_metrics</alias>
15
  <out_format>$(timestamp) $(hostname) load_average_check: $(log)</out_format>
16
  <frequency>30</frequency>
17
</localfile>
18

19
<!-- memory metrics -->
20
<localfile>
21
  <log_format>full_command</log_format>
22
  <command>free --bytes| awk 'NR==2{print $3,$7}'</command>
23
  <alias>memory_metrics</alias>
24
  <out_format>$(timestamp) $(hostname) memory_check: $(log)</out_format>
25
  <frequency>30</frequency>
26
</localfile>
27

28
<!-- disk metrics -->
29
<localfile>
30
  <log_format>full_command</log_format>
31
  <command>df -B1 | awk '$NF=="/"{print $3,$4}'</command>
32
  <alias>disk_metrics</alias>
33
  <out_format>$(timestamp) $(hostname) disk_check: $(log)</out_format>
34
  <frequency>30</frequency>
35
</localfile>

Enable remote commands (required for centralized configuration):

1
echo "logcollector.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
2
sudo systemctl restart wazuh-agent

Phase 2: Configure Wazuh Server#

Add Custom Decoders#

Create or update /var/ossec/etc/decoders/local_decoder.xml:

1
<!-- CPU, memory, disk metric -->
2
<decoder name="general_health_check">
3
  <program_name>general_health_check</program_name>
4
</decoder>
5

6
<decoder name="general_health_check1">
7
  <parent>general_health_check</parent>
8
  <prematch>ossec: output: 'general_health_metrics':\.</prematch>
9
  <regex offset="after_prematch">(\S+) (\S+) (\S+)</regex>
10
  <order>cpu_usage_%, memory_usage_%, disk_usage_%</order>
11
</decoder>
12

13
<!-- load average metric -->
14
<decoder name="load_average_check">
15
  <program_name>load_average_check</program_name>
16
</decoder>
17

18
<decoder name="load_average_check1">
19
  <parent>load_average_check</parent>
20
  <prematch>ossec: output: 'load_average_metrics':\.</prematch>
21
  <regex offset="after_prematch">(\S+), (\S+), (\S+)</regex>
22
  <order>1min_loadAverage, 5mins_loadAverage, 15mins_loadAverage</order>
23
</decoder>
24

25
<!-- Memory metric -->
26
<decoder name="memory_check">
27
  <program_name>memory_check</program_name>
28
</decoder>
29

30
<decoder name="memory_check1">
31
  <parent>memory_check</parent>
32
  <prematch>ossec: output: 'memory_metrics':\.</prematch>
33
  <regex offset="after_prematch">(\S+) (\S+)</regex>
34
  <order>memory_used_bytes, memory_available_bytes</order>
35
</decoder>
36

37
<!-- Disk metric -->
38
<decoder name="disk_check">
39
  <program_name>disk_check</program_name>
40
</decoder>
41

42
<decoder name="disk_check1">
43
  <parent>disk_check</parent>
44
  <prematch>ossec: output: 'disk_metrics':\.</prematch>
45
  <regex offset="after_prematch">(\S+) (\S+)</regex>
46
  <order>disk_used_bytes, disk_free_bytes</order>
47
</decoder>

Add Detection Rules#

Create or update /var/ossec/etc/rules/local_rules.xml:

1
<group name="performance_metric,">
2
  <!-- CPU, Memory and Disk usage -->
3
  <rule id="100054" level="3">
4
    <decoded_as>general_health_check</decoded_as>
5
    <description>CPU | MEMORY | DISK usage metrics</description>
6
  </rule>
7

8
  <!-- High memory usage -->
9
  <rule id="100055" level="12">
10
    <if_sid>100054</if_sid>
11
    <field name="memory_usage_%" type="pcre2">^[8-9]\d|100</field>
12
    <description>Memory usage is high: $(memory_usage_%)%</description>
13
    <options>no_full_log</options>
14
  </rule>
15

16
  <!-- High CPU usage -->
17
  <rule id="100056" level="12">
18
    <if_sid>100054</if_sid>
19
    <field name="cpu_usage_%" type="pcre2">^[8-9]\d|100</field>
20
    <description>CPU usage is high: $(cpu_usage_%)%</description>
21
    <options>no_full_log</options>
22
  </rule>
23

24
  <!-- High disk usage -->
25
  <rule id="100057" level="12">
26
    <if_sid>100054</if_sid>
27
    <field name="disk_usage_%" type="pcre2">[7-9]\d|100</field>
28
    <description>Disk space is running low: $(disk_usage_%)%</description>
29
    <options>no_full_log</options>
30
  </rule>
31

32
  <!-- Load average check -->
33
  <rule id="100058" level="3">
34
    <decoded_as>load_average_check</decoded_as>
35
    <description>load average metrics</description>
36
  </rule>
37

38
  <!-- memory check -->
39
  <rule id="100059" level="3">
40
    <decoded_as>memory_check</decoded_as>
41
    <description>Memory metrics</description>
42
  </rule>
43

44
  <!-- Disk check -->
45
  <rule id="100060" level="3">
46
    <decoded_as>disk_check</decoded_as>
47
    <description>Disk metrics</description>
48
  </rule>
49
</group>

Restart Wazuh manager:

1
sudo systemctl restart wazuh-manager

Phase 3: Update Wazuh Template#

Modify Field Types#

Edit /etc/filebeat/wazuh-template.json and add custom fields to the data properties section:

1
{
2
  "order": 0,
3
  "index_patterns": [
4
    "wazuh-alerts-4.x-*",
5
    "wazuh-archives-4.x-*"
6
  ],
7
  "mappings": {
8
    "properties": {
9
      "data": {
10
        "properties": {
11
          "1min_loadAverage": {
12
            "type": "double"
13
          },
14
          "5mins_loadAverage": {
15
            "type": "double"
16
          },
17
          "15mins_loadAverage": {
18
            "type": "double"
19
          },
20
          "cpu_usage_%": {
21
            "type": "double"
22
          },
23
          "memory_usage_%": {
24
            "type": "double"
25
          },
26
          "memory_available_bytes": {
27
            "type": "double"
28
          },
29
          "memory_used_bytes": {
30
            "type": "double"
31
          },
32
          "disk_used_bytes": {
33
            "type": "double"
34
          },
35
          "disk_free_bytes": {
36
            "type": "double"
37
          },
38
          "disk_usage_%": {
39
            "type": "double"
40
          }
41
        }
42
      }
43
    }
44
  }
45
}

Apply template changes:

1
sudo filebeat setup -index-management

Phase 4: Re-index Existing Data#

Access Wazuh dashboard Dev Tools:

1
# Check existing indices
2
GET _cat/indices
3

4
# Re-index to backup
5
POST _reindex
6
{
7
  "source": {
8
    "index": "wazuh-alerts-4.x-2025.07.12"  # Replace with your index
9
  },
10
  "dest": {
11
    "index": "wazuh-alerts-4.x-backup"
12
  }
13
}
14

15
# Delete old index
16
DELETE /wazuh-alerts-4.x-2025.07.12
17

18
# Re-index with new mapping
19
POST _reindex
20
{
21
  "source": {
22
    "index": "wazuh-alerts-4.x-backup"
23
  },
24
  "dest": {
25
    "index": "wazuh-alerts-4.x-2025.07.12"
26
  }
27
}
28

29
# Clean up
30
DELETE /wazuh-alerts-4.x-backup

Phase 5: Configure Field Formats#

In Wazuh Dashboard:

Navigate to Stack Management → Index Patterns → wazuh-alerts-*
Search for fields: data.memory_available_bytes, data.memory_used_bytes, data.disk_free_bytes, data.disk_used_bytes
Click edit icon for each field
Change format from Number to Bytes
Save changes

Creating Custom Visualizations#

CPU Usage Visualization#

Navigate to Visualize → Create new visualization
Select Line chart type
Choose wazuh-alerts-* index pattern

Y-axis (Metrics):

Aggregation: Max
Field: data.cpu_usage_%
Custom label: CPU Usage %

X-axis (Buckets):

Aggregation: Date Histogram
Field: timestamp
Minimum interval: Minute

Load Average Visualization#

Y-axis (Metrics) - Add 3 metrics:

Metric 1: Max of data.1min_loadAverage (Label: 1 min load average)
Metric 2: Max of data.5min_loadAverage (Label: 5 min load average)
Metric 3: Max of data.15min_loadAverage (Label: 15 min load average)

X-axis (Buckets):

Same as CPU visualization

Memory Usage Visualization#

Create two visualizations:

Memory Percentage (Line Chart):

Y-axis: Max of data.memory_usage_%
X-axis: Date Histogram on timestamp

Memory Size (Area Chart):

Y-axis Metric 1: Max of data.memory_available_bytes (Label: Memory Available)
Y-axis Metric 2: Max of data.memory_used_bytes (Label: Memory Used)
X-axis: Date Histogram on timestamp

Disk Visualizations#

Disk Usage Percentage (Line Chart):

Y-axis: Max of data.disk_usage_%
X-axis: Date Histogram on timestamp

Disk Space Table:

Metric 1: Max of data.disk_free_bytes (Label: Disk Free)
Metric 2: Max of data.disk_used_bytes (Label: Disk Used)

Advanced Monitoring#

Process-Specific Monitoring#

1
<!-- Monitor specific process CPU usage -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>ps aux | grep -E 'nginx|apache2' | awk '{sum+=$3} END {print sum}'</command>
5
  <alias>webserver_cpu</alias>
6
  <out_format>$(timestamp) $(hostname) webserver_cpu_usage: $(log)</out_format>
7
  <frequency>60</frequency>
8
</localfile>
9

10
<!-- Monitor Docker containers -->
11
<localfile>
12
  <log_format>full_command</log_format>
13
  <command>docker stats --no-stream --format "{{.Container}}:{{.CPUPerc}}:{{.MemPerc}}" 2>/dev/null || echo "No Docker"</command>
14
  <alias>docker_stats</alias>
15
  <out_format>$(timestamp) $(hostname) docker_stats: $(log)</out_format>
16
  <frequency>60</frequency>
17
</localfile>

Network Monitoring#

1
<!-- Network interface statistics -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>cat /proc/net/dev | grep -E 'eth0|ens' | awk '{print $1,$2,$10}'</command>
5
  <alias>network_stats</alias>
6
  <out_format>$(timestamp) $(hostname) network_stats: $(log)</out_format>
7
  <frequency>30</frequency>
8
</localfile>
9

10
<!-- Active connections -->
11
<localfile>
12
  <log_format>full_command</log_format>
13
  <command>ss -s | grep -E 'TCP:|UDP:' | awk '{print $1,$2}'</command>
14
  <alias>connection_stats</alias>
15
  <out_format>$(timestamp) $(hostname) connection_stats: $(log)</out_format>
16
  <frequency>60</frequency>
17
</localfile>

Advanced Rules#

1
<!-- Sustained high CPU usage -->
2
<rule id="100061" level="14" frequency="5" timeframe="300">
3
  <if_sid>100056</if_sid>
4
  <description>Sustained high CPU usage detected</description>
5
  <options>alert_by_email</options>
6
</rule>
7

8
<!-- Rapid disk usage increase -->
9
<rule id="100062" level="12" frequency="3" timeframe="300">
10
  <if_sid>100057</if_sid>
11
  <description>Rapid disk usage increase - possible log flooding</description>
12
</rule>
13

14
<!-- Memory leak detection -->
15
<rule id="100063" level="10">
16
  <if_sid>100059</if_sid>
17
  <match>memory_available_bytes: 0</match>
18
  <description>System out of memory</description>
19
</rule>
20

21
<!-- High load with low CPU (I/O bottleneck) -->
22
<rule id="100064" level="10">
23
  <if_sid>100058</if_sid>
24
  <regex>^([5-9]\.|[1-9]\d+\.)</regex>
25
  <description>High system load detected: $(1min_loadAverage)</description>
26
</rule>

Creating Dashboards#

Performance Dashboard Layout#

1
{
2
  "version": "7.14.2",
3
  "objects": [{
4
    "id": "linux-performance-dashboard",
5
    "type": "dashboard",
6
    "attributes": {
7
      "title": "Linux Performance Monitoring",
8
      "hits": 0,
9
      "description": "Comprehensive Linux resource monitoring dashboard",
10
      "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15},\"panelIndex\":\"1\",\"embeddableConfig\":{\"title\":\"CPU Usage Over Time\"},\"panelRefName\":\"panel_cpu_usage\"},{\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":15},\"panelIndex\":\"2\",\"embeddableConfig\":{\"title\":\"Memory Usage Over Time\"},\"panelRefName\":\"panel_memory_usage\"},{\"gridData\":{\"x\":0,\"y\":15,\"w\":24,\"h\":15},\"panelIndex\":\"3\",\"embeddableConfig\":{\"title\":\"Load Average Trends\"},\"panelRefName\":\"panel_load_average\"},{\"gridData\":{\"x\":24,\"y\":15,\"w\":24,\"h\":15},\"panelIndex\":\"4\",\"embeddableConfig\":{\"title\":\"Disk Usage\"},\"panelRefName\":\"panel_disk_usage\"}]",
11
      "timeRestore": true,
12
      "timeTo": "now",
13
      "timeFrom": "now-24h",
14
      "refreshInterval": {
15
        "pause": false,
16
        "value": 30000
17
      }
18
    }
19
  }]
20
}

Alert Summary Dashboard#

Key components:

Top 10 hosts by CPU usage
Top 10 hosts by memory usage
Alert frequency heatmap
Resource usage distribution
Critical alerts timeline

Best Practices#

1. Monitoring Strategy#

1
Collection Intervals:
2
  Critical Metrics:
3
    - CPU, Memory: 30 seconds
4
    - Disk: 60 seconds
5
    - Network: 30 seconds
6

7
  Non-Critical Metrics:
8
    - Process stats: 300 seconds
9
    - System info: 3600 seconds
10

11
Alert Thresholds:
12
  CPU:
13
    - Warning: 70%
14
    - Critical: 85%
15
    - Sustained: 80% for 5 minutes
16

17
  Memory:
18
    - Warning: 75%
19
    - Critical: 90%
20
    - OOM Risk: 95%
21

22
  Disk:
23
    - Warning: 70%
24
    - Critical: 85%
25
    - Emergency: 95%

2. Performance Optimization#

1
#!/bin/bash
2
# Optimize monitoring performance
3

4
# Use efficient commands
5
# Bad: ps aux | grep process | awk '{print $3}'
6
# Good: pidstat -p $(pgrep process) 1 1 | tail -1 | awk '{print $7}'
7

8
# Cache static information
9
TOTAL_MEM=$(free -b | awk 'NR==2{print $2}')
10
CPU_COUNT=$(nproc)
11

12
# Batch multiple metrics
13
echo "$(date +%s):$(cat /proc/loadavg | cut -d' ' -f1-3):$(free -m | awk 'NR==2{print $3}'):$(df -BG / | awk 'NR==2{print $5}')"

3. Security Correlation#

1
<!-- Correlate high CPU with security events -->
2
<rule id="100065" level="13">
3
  <if_sid>100056</if_sid>
4
  <if_matched_sid>5503</if_matched_sid>
5
  <same_source_ip />
6
  <description>High CPU usage coinciding with authentication failures</description>
7
  <mitre>
8
    <id>T1110</id>
9
  </mitre>
10
</rule>
11

12
<!-- Detect crypto mining -->
13
<rule id="100066" level="14">
14
  <if_sid>100056</if_sid>
15
  <time>1:00 am - 6:00 am</time>
16
  <description>Suspicious high CPU usage during off-hours - possible crypto mining</description>
17
  <mitre>
18
    <id>T1496</id>
19
  </mitre>
20
</rule>

Troubleshooting#

Common Issues#

Issue 1: Commands Not Executing#

1
# Check agent configuration
2
grep -A 5 "localfile" /var/ossec/etc/ossec.conf
3

4
# Verify command execution
5
sudo -u wazuh-user /bin/bash -c "top -bn1 | grep Cpu"
6

7
# Check logs
8
tail -f /var/ossec/logs/ossec.log | grep -E "ERROR|WARNING"

Issue 2: Custom Fields Not Appearing#

1
# Refresh index pattern
2
curl -X POST "localhost:9200/wazuh-alerts-*/_refresh"
3

4
# Verify field mapping
5
curl -X GET "localhost:9200/wazuh-alerts-*/_mapping/field/data.cpu_usage_%?pretty"

Issue 3: High Resource Usage by Monitoring#

1
<!-- Reduce frequency for non-critical systems -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>YOUR_COMMAND</command>
5
  <alias>YOUR_ALIAS</alias>
6
  <frequency>120</frequency>  <!-- Increase from 30 to 120 seconds -->
7
</localfile>

Integration Examples#

1. Automated Remediation#

1
#!/usr/bin/env python3
2
import json
3
import subprocess
4
import sys
5

6
def handle_alert(alert_file):
7
    with open(alert_file, 'r') as f:
8
        alert = json.load(f)
9

10
    rule_id = alert['rule']['id']
11

12
    if rule_id == '100055':  # High memory
13
        clear_cache()
14
    elif rule_id == '100057':  # Low disk space
15
        clean_logs()
16
    elif rule_id == '100061':  # Sustained high CPU
17
        identify_culprit()
18

19
def clear_cache():
20
    subprocess.run(['sync'])
21
    subprocess.run(['echo', '3'], stdout=open('/proc/sys/vm/drop_caches', 'w'))
22
    print("Memory cache cleared")
23

24
def clean_logs():
25
    subprocess.run(['find', '/var/log', '-name', '*.log', '-mtime', '+30', '-delete'])
26
    subprocess.run(['journalctl', '--vacuum-time=7d'])
27
    print("Old logs cleaned")
28

29
def identify_culprit():
30
    result = subprocess.run(['ps', 'aux', '--sort=-pcpu'], capture_output=True, text=True)
31
    print("Top CPU consumers:")
32
    print(result.stdout.split('\n')[:10])
33

34
if __name__ == "__main__":
35
    handle_alert(sys.argv[1])

2. Performance Reports#

1
#!/bin/bash
2
# Generate daily performance report
3

4
REPORT_FILE="/tmp/performance_report_$(date +%Y%m%d).html"
5

6
cat > "$REPORT_FILE" << EOF
7
<!DOCTYPE html>
8
<html>
9
<head>
10
    <title>Daily Performance Report - $(date)</title>
11
    <style>
12
        body { font-family: Arial, sans-serif; }
13
        table { border-collapse: collapse; width: 100%; }
14
        th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
15
        th { background-color: #4CAF50; color: white; }
16
        .warning { background-color: #fff3cd; }
17
        .critical { background-color: #f8d7da; }
18
    </style>
19
</head>
20
<body>
21
    <h1>Linux Performance Report</h1>
22
    <h2>Date: $(date)</h2>
23

24
    <h3>System Summary</h3>
25
    <table>
26
        <tr>
27
            <th>Metric</th>
28
            <th>Current Value</th>
29
            <th>24h Average</th>
30
            <th>Status</th>
31
        </tr>
32
EOF
33

34
# Add metrics to report
35
# Query Wazuh API for statistics
36

37
echo "</table></body></html>" >> "$REPORT_FILE"
38

39
# Email report
40
mail -s "Daily Performance Report" -a "$REPORT_FILE" admin@company.com < /dev/null

Conclusion#

Monitoring Linux resource usage with Wazuh provides organizations with critical insights into system performance and potential security threats. By implementing comprehensive monitoring, custom visualizations, and intelligent alerting, you can:

✅ Proactively identify performance issues before they impact services
📊 Visualize trends to optimize resource allocation
🚨 Detect anomalies that may indicate security incidents
📈 Maintain compliance with performance monitoring requirements
🛡️ Correlate resource usage with security events for better threat detection

The flexibility of Wazuh’s command monitoring and visualization capabilities enables tailored solutions for any Linux environment.

Key Takeaways#

Start Simple: Begin with basic metrics and expand gradually
Optimize Commands: Use efficient commands to minimize overhead
Set Realistic Thresholds: Base alerts on your environment’s baseline
Correlate Events: Link resource usage with security events
Automate Responses: Implement remediation scripts for common issues

Resources#

Monitor your Linux infrastructure effectively with Wazuh. Visualize, analyze, optimize! 🐧📊