How the new version of Wazuh 4.3 is more user-friendly?

Varul Arora
8 min readMay 23, 2022


Wazuh is a comprehensive open-source security platform. Wazuh supports Linux, Windows, macOS, Solaris, AIX, and HP-UX platforms. The new Wazuh version, Wazuh 4.3 has some major enhancements over the previous versions. With every new release, Wazuh becomes more capable, powerful, and user-friendly. That holds with this latest version also.

Figure 1 Wazuh 4.3

In addition to the Wazuh server, Wazuh 4.3 has two additional components: the Wazuh indexer and the Wazuh dashboard. Wazuh has always been at the forefront of the HIDS (Host Intrusion Detection Systems) platforms. Users can configure Wazuh to trigger active responses corresponding to an alert. Thus, Wazuh is also an efficient Intrusion Prevention System (IPS). With the introduction of the new components, Wazuh has become a unified SIEM (Security Information and Event Management) and XDR (eXtended Detection and Response) platform. Users do not need to deploy Elastic Stack, or Splunk with the Wazuh server 4.3 to get a complete SIEM solution. This ensures a better user experience.

Wazuh server

The Wazuh server performs various functions and has different components in it. The Wazuh server enrolls new agents in the host systems, establishes encrypted communication between the agent and the server, performs data analysis using decoders, triggers alerts when threats or anomalies are detected, and provides RESTful API service to interact with the Wazuh infrastructure. The Wazuh server has built-in rules and decoders to analyze the data from different sources. In version 4.3, the RESTful API uses multiple processes, and thereby the availability has been improved. The improved performance of API endpoints is inevitable for better performance in larger environments.

The Wazuh server can be scaled horizontally by deploying them as a multi-node clusters. In version 4.3, the Wazuh manager cluster uses multiple processes and this significantly improves the performance.

The Wazuh server also has Filebeat. Filebeat ships the events and logs to the Wazuh indexer.

Wazuh indexer

The Wazuh indexer is a search and analytics engine. The Wazuh indexer is an Opensearch distribution which is derived from Elasticsearch. This component indexes the data and stores the data as JSON documents. Wazuh uses four different indices namely wazuh-alerts, wazuh-archives, wazuh-monitoring, and wazuh-statistics.

The indexer has excellent search and analytical capabilities. As soon as a document is indexed, it becomes searchable. This near real-time search capability makes it an ideal engine for the centralized security monitoring of IT and OT infrastructure. Scalability and availability can be achieved by configuring the Wazuh indexer as a multi-node cluster. The documents are distributed across multiple shards and the shards are distributed across multiple nodes. This ensures high fault tolerance. The Wazuh documentation says that version 4.3 performs the cluster tasks 423% faster than the previous versions.

The indexer also has several plugins for Alerting, Anomaly detection, Index lifecycle management, etc.

Figure 2 Plugins

Users can write REST API requests to interact with the indexer (search for a document, add or delete a document, index modification, etc.)

Wazuh dashboard

The Wazuh dashboard is the web user interface for the Wazuh platform. This component is derived from Opensearch dashboards. The dashboard is used to manage the agent configuration and to monitor, mine, and analyze data from the agents.

Figure 3Wazuh agents

The Wazuh dashboard displays the security events and file integrity of the agents. Data related to various regulatory compliance standards like HIPPA, GDPR, PCI DSS, NIST 800–53, etc. can be effortlessly visualized from the dashboard. The SCA (Security Configuration Assessment) module runs configuration checks on the hosts and helps in system hardening.

Figure 4Agent data
Figure 5Security Events Dashboard of an agent

Wazuh provides MITRE attack correlation for various alerts. The Wazuh version 4.3 introduces a new Intelligence tab in the MITRE ATT&CK section. This provides users with details related to different Threat Groups, MITRE Tactics, Techniques, Mitigations, Software, etc. The Framework tab provides a knowledge base for users to understand the MITRE Tactics and Techniques and to correlate the alerts generated for their host systems to the attack models. In large enterprises, these enhancements make APT (Advanced Persistent Threat) detection and defense easier.

Figure 6 MITRE attack dashboard
Figure 7 MITRE Attack Intelligence
Figure 8 MITRE Attack Framework

The Vulnerabilities tab displays an alert when a vulnerability is detected on the agent after a scan. Users can configure to run the vulnerabilities scan on startup or after every fixed interval. The Vulnerabilities module in Wazuh 4.3 has many improved and user-friendly features. The Vulnerability detector maintains a vulnerability inventory. In addition to the vulnerability feeds from Canonical, Debian, Red Hat, Microsoft, and NVD; Wazuh 4.3 integrates the feeds from Arch Linux, and Amazon Linux (Amazon Linux Advisories Security) also. Each vulnerability displays CVE, CVS (S2 and S3) scores, and the time when the vulnerability was detected in the endpoint. These enhancements make threat detection and analysis easier. Users can easily identify if the endpoint has applications with unpatched CVE.

Figure 9 Vulnerabilities tab

The Wazuh dashboard includes an API Console. Users can interact with Wazuh API via this console. The Ruleset test is a very handy feature to test any custom decoders or rules created by the user.

The Management section of the dashboard provides a user interface to create custom rules and decoders for different kinds of host systems. Users can configure the Wazuh cluster and manage agent groups from this section.

Figure 10 Platform Management

The Discover section in the dashboard is very powerful. Users can easily filter the data based on numerous available fields. In addition to full-text search, DQL (OpenSearch Dashboards Query Language) can be used to filter data using queries. The search criteria can be saved for future use. The findings are presented in visualizations also. Users can create quick visualizations based on the available fields. Each document can be expanded and values for individual fields can be viewed. These features are helpful for the analysis of security events and the real-time monitoring of systems.

Figure 11 Discover
Figure 12 Expanded document — Discover
Figure 13 Visualize data — Discover

Users can also create custom visualizations and dashboards and generate reports. Reports can be easily generated based on the Visualizations, Dashboards, or saved search criteria. Users can create visualizations with a pie chart, horizontal bar, heat map, data table, etc. These dashboards often provide quick and valuable insights and help users make informed decisions.

Figure 14 Custom Dashboards
Figure 15 Report creation

New Agent integrations

Wazuh is a very good solution to monitor and enhance cloud security. An enhancement in the Wazuh 4.3 version is that agents can be configured to collect logs from Office 365 and GitHub. AWS S3 server Access logs, Google Cloud Storage buckets, and access logs are also supported in the new version. Wazuh manager provides rules and decoders to analyze these logs. This ultimately leads to more customers using Wazuh for centralized log monitoring. Wazuh is also used to monitor docker servers and container events.

Figure 16 Cloud Security Monitoring

Wazuh 4.3 installation

Wazuh provides users an installation assistant to install version 4.3. This makes any type of Wazuh installation (single-node or multi-node) very quick and easy. Users must configure the ‘config.yml’ file with the node names and IP addresses. Pre-built virtual machine image (OVA) and Amazon Machine Image (AMI) are also available. Users can also opt for Docker or Kubernetes installation of Wazuh.

Mac OS agent improvements

With this release, Wazuh has introduced several improvements for Mac agents. Wazuh now supports native macOS logs. Mac OS agent can be upgraded via WPK. Security configuration assessment (SCA) policies for Mac OS have been added.

Continued Support for Elastic Stack, Splunk, and Open Distro

The existing Wazuh users who use Wazuh with Elastic Stack, Splunk, or Open Distro Elasticsearch can still upgrade the Wazuh manager to 4.3. Wazuh 4.3 continues to support the above platforms. The Wazuh Kibana plugin supports several versions of Elastic Stack and Open Distro with Wazuh manager 4.3. Similarly, Wazuh manager 4.3 can be used with Splunk versions 8.1 and 8.2 using the Splunk App.

Easy integration

Like the previous versions, Wazuh 4.3 can be easily integrated with external software like Jira, and with NIDS (Network Intrusion Detection Systems) like Snort and Suricata. Wazuh can also connect to tools like VirusTotal. Wazuh’s capability to integrate with YARA (rules to detect malware by pattern matching) makes its active response mechanism very effective.

Wazuh protects 15+ million endpoints and has 100+ thousand enterprise users. Every year 10+ million Wazuh downloads happen. With the launch of Wazuh 4.3, the Wazuh user base will surely multiply. With the introduction of the Wazuh indexer and dashboard, Wazuh is now a more comprehensive solution. The new version of Wazuh is extremely scalable and flexible. Wazuh can be used for the protection of a single endpoint or of a large enterprise. The improvements in the Vulnerabilities and MITRE attack modules, support for more cloud platforms, and macOS improvements enrich the user experience and strengthen the threat detection capability. This completely free and open-source security platform is often superior to many proprietary solutions.



Varul Arora

CTIA | Love cybersecurity, completed MSc in Applied Cyber Security from Queen’s University Belfast. Twitter : @AroraVarul