Wazuh Agent for Linux: Comprehensive Security Monitoring Guide

The Wazuh agent is a lightweight yet powerful security monitoring component that transforms Linux endpoints into intelligent security sensors. As part of the broader Wazuh XDR/SIEM platform, it provides real-time visibility into security events while maintaining minimal resource overhead.

Architecture Overview

The Wazuh security platform consists of four key components:

1. Wazuh Agent - Endpoint monitoring component (covered in this guide)
2. Wazuh Server - Central management, analysis, and rule processing
3. Wazuh Indexer - Data storage and search capabilities
4. Wazuh Dashboard - Visualization and configuration interface

The agent communicates with the central server through an encrypted, authenticated channel, ensuring secure transmission of security telemetry even across untrusted networks.

Resource Requirements

One of Wazuh agent’s key strengths is its lightweight footprint:

• Memory Usage: ~35MB RAM
• CPU Impact: Minimal (typically <1% on modern systems)
• Disk Space: ~100MB for installation
• Network: Low bandwidth usage with efficient compression

Core Security Capabilities

1. Log Collection and Analysis

The Wazuh agent excels at comprehensive log collection:

• Operating System Logs: Collects syslog, auth.log, kernel logs, and system events
• Application Logs: Monitors custom application logs with configurable patterns
• Real-time Forwarding: Near-instantaneous transmission to the central server
• Format Support: Handles various log formats including JSON, syslog, and custom formats
• Command Output: Can execute commands and collect their output as log data

Configuration example for custom log collection:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/custom-app/*.log</location>
</localfile>

2. File Integrity Monitoring (FIM)

FIM provides critical visibility into file system changes:

• Change Detection: Identifies file creation, modification, and deletion
• Attribute Tracking: Monitors permissions, ownership, size, and checksums
• User Attribution: Records which users and processes modified files
• Real-time Alerts: Immediate notification of critical file changes
• Baseline Comparison: Detects deviations from known-good states

Key directories typically monitored:

• /etc - System configuration files
• /bin, /sbin - System binaries
• /boot - Boot loader files
• Custom application directories

3. System Call Monitoring

Leveraging the Linux Audit framework, Wazuh provides deep system-level visibility:

• Syscall Auditing: Monitors security-relevant system calls
• Process Tracking: Tracks process creation, file access, and network connections
• Privilege Escalation Detection: Identifies suspicious privilege changes
• Command Execution Monitoring: Records all executed commands
• User Activity Tracking: Comprehensive audit trail of user actions

Example audit rules:

# Monitor privilege escalation
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/sudo -k privilege_escalation

# Track file access in sensitive directories
-w /etc/passwd -p wa -k passwd_changes

4. Security Configuration Assessment (SCA)

SCA performs automated security compliance checks:

• Policy Scanning: Evaluates system against security policies
• Misconfiguration Detection: Identifies security gaps and weaknesses
• Compliance Frameworks: Supports CIS, PCI-DSS, GDPR, and custom policies
• Remediation Guidance: Provides specific steps to fix issues
• Customizable Checks: Create organization-specific security policies

Common checks include:

• Password policy compliance
• SSH configuration hardening
• Firewall rules validation
• Service configuration security
• File permission audits

5. Vulnerability Detection

Proactive vulnerability management capabilities:

• Software Inventory: Maintains current list of installed packages
• CVE Correlation: Matches installed software against vulnerability databases
• Severity Scoring: Prioritizes vulnerabilities by CVSS scores
• Patch Status: Tracks available security updates
• Zero-day Detection: Identifies indicators of unknown vulnerabilities

The agent collects package information from:

• APT/dpkg (Debian/Ubuntu)
• YUM/RPM (RHEL/CentOS)
• Snap packages
• Custom application manifests

6. Malware and Rootkit Detection

Non-signature-based detection methods:

• Anomaly Detection: Identifies unusual system behavior
• Hidden Process Detection: Finds processes hidden from standard tools
• Network Backdoor Discovery: Detects hidden network listeners
• File System Anomalies: Identifies hidden files and directories
• Kernel Module Monitoring: Tracks loaded kernel modules

Detection techniques:

# Check for hidden processes
/var/ossec/bin/ossec-rootcheck

# Scan for rootkit signatures
/var/ossec/bin/rootkit_trojans.txt

7. Active Response Capabilities

Automated threat containment and remediation:

• Network Blocking: Automatically block malicious IP addresses
• Process Termination: Kill suspicious processes
• File Quarantine: Move or delete malicious files
• User Account Actions: Disable compromised accounts
• Custom Scripts: Execute organization-specific response actions

Example active response configuration:

<active-response>
  <command>firewall-drop</command>
  <location>local</location>
  <level>10</level>
  <timeout>600</timeout>
</active-response>

8. Container and Cloud Security

Modern infrastructure monitoring capabilities:

• Docker Integration: Monitors container events via Docker API
• Container Runtime Security: Tracks container creation, execution, and networking
• Image Scanning: Identifies vulnerabilities in container images
• Kubernetes Support: Monitors pod events and configurations
• Cloud Provider Integration: AWS, Azure, and GCP monitoring support

Deployment Best Practices

Installation Methods

1. Package Managers: Native packages for major distributions
2. Configuration Management: Ansible, Puppet, Chef modules available
3. Container Deployment: Official Docker images for containerized environments
4. Cloud Templates: Pre-configured images for cloud deployment

Security Hardening

1. Agent Configuration: Restrict configuration file permissions
2. Communication Security: Use certificate-based authentication
3. Resource Limits: Configure appropriate thresholds
4. Log Rotation: Implement proper log management
5. Access Control: Limit who can manage agent configuration

Performance Optimization

1. Scan Frequencies: Balance security with performance
2. Exclusion Lists: Skip known-safe files and directories
3. Buffer Sizes: Tune for your environment’s log volume
4. Network Settings: Optimize compression and batch sizes

Integration with Security Operations

SIEM Integration

The Wazuh agent data can be integrated with:

• Elasticsearch: Native integration for log storage
• Splunk: Forwarder configuration available
• IBM QRadar: DSM modules for event parsing
• Custom SIEM: Syslog and JSON output formats

Automation and Orchestration

• SOAR Platforms: Integrate with Phantom, Demisto, etc.
• Ticketing Systems: Automatic incident creation
• Notification Services: Slack, email, SMS alerts
• API Integration: RESTful API for custom integrations

Threat Detection Use Cases

1. Insider Threat Detection

• Monitor privileged user activities
• Track data exfiltration attempts
• Detect unauthorized access patterns

2. Advanced Persistent Threats (APT)

• Identify lateral movement
• Detect persistence mechanisms
• Track command and control communications

3. Compliance Monitoring

• Continuous compliance validation
• Audit trail maintenance
• Policy violation detection

4. Incident Response

• Rapid threat containment
• Forensic data collection
• Timeline reconstruction

Conclusion

The Wazuh agent represents a comprehensive security monitoring solution for Linux environments, providing defense-in-depth through multiple detection layers. Its lightweight design, combined with powerful detection capabilities and automated response features, makes it an excellent choice for organizations seeking to enhance their security posture without significant resource overhead.

By deploying Wazuh agents across your Linux infrastructure, you gain:

• Real-time security visibility
• Automated threat response
• Compliance assurance
• Reduced mean time to detect and respond (MTTD/MTTR)

Whether protecting a single server or an entire data center, the Wazuh agent provides the foundation for a robust security monitoring program aligned with modern XDR principles.