Integrating Wazuh with Cloud Environments: AWS, Azure, and GCP

9 min readJan 7, 2025

With the increasing trend of organisations adopting multi-cloud strategy, it is vital that security tools are able to scale and monitor the different environments such as AWS, Azure, or GCP. Wazuh is an open-source cloud SIEM platform that integrates both XDR and SIEM security tools. This article goes into detail in providing commands and steps in configuring Wazuh seamlessly across all these cloud environments.

1. Overview of Wazuh in Cloud Integration

Asides looking for vulnerabilities, the Wazuh platform is aimed at providing organisations a solution for managing multi-cloud environments such as AWS, Azure or GCP. With the choice of agent-based and agentless, it provides organisation with the capability to select the best fit for their needs and use-case. Such versatility goes a long way in ensuring that Wazuh monitors a number of cloud services and workloads effectively.

1.1 Agent-Based Deployment for In-Depth Monitoring

The Wazuh agents might be utilised on the cloud-based resources that could provide the necessary information from within the cloud instances in depth and in real-time. It is appropriate for scenarios where complete contral and granularity over workloads are required, for example : monioring critical environment. Several advantages of an agent-based deployment are in the following areas:

Granular Data Collection: For instance, AWS EC2, Azure VMs, GCP GCE, on all these cloud platforms, Wazuh agents will be able to monitor system files, network activities, and application logs on cloud instances like these. This provides in depth significant visibility and accurate threat detection.
File Integrity Monitoring (FIM): The agents keep tabs on critical files and configuration changes, which helps identify unauthorised changes or tampering with resources in the cloud workload.
Custom Rule Application: The agents helps in tailored monitoring rules targeted at single instances, which includes monitoring login discrepancies, unreasonable adjustments to system settings, that are modified.

Example Scenarios for Agent-Based Deployment

AWS EC2 Instances: Following the deployment of Wazuh agents, a comprehensive overview of system actions and security events is visible, thus being ideal for watching the critical applications that are running on these instances.
Azure VMs:OS level logs can be captured through the configuration of the agents therefore, allowing visibility in the performance of the application and security breach.
GCP Compute Engine (GCE): Wazuh agents together with the GCE instances enable organisations to keep consistent tabs on Google Cloud hosted workloads with their main features and activities being displayed live.

This approach is best for cloud environments that require deep and continuous monitoring, where granular insights into each resource are essential for maintaining security and compliance.

1.2 Agentless Monitoring for Scalability and Efficiency

For large-scale or highly distributed environments, or when monitoring services that do not support agent deployment (e.g., serverless functions or PaaS services), Wazuh offers agentless log collection. This method leverages cloud-native services provided by AWS, Azure, and GCP, allowing organisations to collect and analyse data without deploying agents directly on every instance. It is efficient and ideal for scaling up monitoring efforts across various services without overhead.

AWS CloudWatch and CloudTrail: Wazuh integrates with these AWS services to capture logs and API activity. It pulls data from these services using AWS native capabilities, which are then routed to the Wazuh manager for analysis.
Azure Monitor and Azure Log Analytics: Wazuh connects with Azure’s monitoring services, collecting data from VMs, databases, and applications via Azure Log Analytics workspaces. This setup centralises logs and ensures broad coverage without deploying agents on individual services.
GCP Operations Suite (formerly Stackdriver): Wazuh integrates with GCP’s logging services to monitor events from various Google Cloud services like Cloud Run and App Engine. It also uses Cloud Audit Logs to gain insights into access and changes across the cloud environment.

The agentless method is especially beneficial for managing compliance across distributed services and for organisations that need broad visibility without the overhead of managing agents on each cloud service.

1.3 Integration with Cloud-Native Security Services

Wazuh’s integration capabilities extend beyond just monitoring; it can directly interface with each cloud provider’s native security tools to enhance its threat detection and compliance management capabilities:

AWS Security Services: Integration with AWS GuardDuty and Macie allows Wazuh to receive and correlate security findings, providing a centralised view of potential threats and data protection insights across AWS.
Azure Security Center (ASC): By connecting with ASC, Wazuh can pull security alerts and recommendations, allowing organisations to automate responses based on ASC’s findings while correlating these alerts with logs from other sources.
GCP Security Command Center (SCC): In GCP, Wazuh integrates with SCC to collect and correlate security and compliance data, enabling a unified approach to monitoring Google Cloud assets.

1.4 Unified Monitoring, Compliance, and Threat Management

The combination of agent-based and agentless methods provides Wazuh with a flexible and scalable approach to cloud monitoring. By supporting both methods, Wazuh enables organisations to choose the appropriate strategy based on the specific needs of their workloads and cloud architecture:

Centralised Dashboard: The Wazuh dashboard aggregates and visualizes data from both agent-based and agentless sources, providing a single interface for managing security events, compliance reports, and log analysis.
Automated Compliance Management: Wazuh’s built-in compliance modules automate auditing processes for regulations such as PCI-DSS, HIPAA, and GDPR. The system continuously monitors and reports on compliance status across cloud environments.
Custom Rule Development and Incident Response: Users can create and customize rules specific to each cloud environment, enabling tailored monitoring and responses. Wazuh supports automated responses such as blocking IP addresses or triggering alerts based on predefined conditions, reducing response times, and improving the effectiveness of security operations.

By combining agent and agentless methods with cloud-native integrations, Wazuh offers a comprehensive solution that adapts to the unique demands of multi-cloud environments, ensuring consistent security management, threat detection, and compliance monitoring across diverse cloud platforms.

2. Setting Up Wazuh on AWS

AWS offers various services that Wazuh can monitor. Below are detailed steps and commands to deploy Wazuh and optimize its functionality in AWS.

2.1 Deploying the Wazuh Manager on AWS EC2

Step 1: Launch an EC2 Instance
Choose an Amazon Linux 2 or Ubuntu AMI, ensuring it has sufficient resources (minimum 4 GB RAM, 2 CPUs). SSH into the instance:

ssh -i "your-key.pem" ec2-user@ec2-XX-XXX-XXX.compute.amazonaws.com

Step 2: Install and Configure the Wazuh Manager
Install necessary dependencies:

sudo apt update && sudo apt install curl apt-transport-https -y

Add the Wazuh repository and install:

sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-managercurl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo apt install wazuh-manager -y

To start the Wazuh manager:

sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager

Step 3: Security Group Configuration
In the AWS console, open the security group settings and add rules for ports 1514 (UDP) and 55000 (TCP) for Wazuh communication.
Step 4: Elasticsearch and Kibana Setup (Optional)
If you plan to use Elasticsearch and Kibana for log storage and visualization, install them on separate EC2 instances or the same instance if resources permit: sudo apt install elastic search kibana
Update the Elasticsearch configuration

(/etc/elasticsearch/elasticsearch.yml) to enable communication: network.host: 0.0.0.0

Restart services: sudo systemctl restart elastic search kibana

2.2 Integrating AWS Services

Integrating with CloudTrail Logs
Configure AWS CloudTrail to send logs to an S3 bucket and set up a Lambda function to forward logs to Wazuh:

import boto3 def lambda_handler(event, context):     
s3 = boto3.client('s3')     
for record in event['Records']:         
bucket = record['s3']['bucket']['name']         
key = record['s3']['object']['key']         
response = s3.get_object(Bucket=bucket, Key=key)         
# Code to forward logs to Wazuh API

Setting Up AWS Config Integration
AWS Config monitors compliance in real-time. You can integrate it with Wazuh by creating rules that send alerts to CloudWatch and then forwarding these to Wazuh using Lambda.

2.3 Advanced EC2 Agent Deployment

Automate Agent Deployment Using Ansible
Create an Ansible playbook to deploy Wazuh agents on multiple EC2 instances:

- hosts: aws_ec2
  become: yes
  tasks:
    - name: Install Wazuh agent
      apt:
        name: wazuh-agent
        state: present
    - name: Configure Wazuh agent
      template:
        src: templates/ossec.conf.j2
        dest: /var/ossec/etc/ossec.conf
    - name: Start and enable Wazuh agent
      service:
        name: wazuh-agent
        state: started
        enabled: yes

3. Integrating Wazuh with Microsoft Azure

Azure’s capabilities allow Wazuh to monitor a wide array of services effectively. Below are detailed steps and commands to configure Wazuh for Azure environments.

3.1 Deploying the Wazuh Manager in Azure

Step 1: Create an Ubuntu VM
Deploy a VM in Azure using Ubuntu. Access the VM via SSH and follow the installation steps for the Wazuh manager as done for AWS.
Step 2: Enable Load Balancer
Set up an Azure Load Balancer to manage traffic between multiple Wazuh manager instances for scalability.

3.2 Monitoring Azure Services

Azure Monitor Integration
Use Azure Monitor to gather logs from services and forward them to Wazuh using Azure Event Hubs:

Set up Azure Event Hubs for log routing.
Deploy a Python script on a VM with Wazuh to read logs from Event Hubs:

from azure.eventhub import EventHubConsumerClient
client = EventHubConsumerClient.from_connection_string("CONNECTION_STRING", consumer_group="$Default")

Deploying Agents Using Azure CLI
Install agents on Azure VMs using Azure CLI:

az vm run-command invoke --command-id RunShellScript --name MyVM --resource-group MyResourceGroup --scripts "curl -s https://packages.wazuh.com/4.x/apt/ stable main | sudo tee /etc/apt/sources.list.d/wazuh-agent.list; sudo apt update; sudo apt install wazuh-agent -y"

4. Monitoring Google Cloud Platform (GCP) with Wazuh

Integrating Wazuh with GCP allows detailed monitoring of GCP services, providing centralised log management and real-time alerting.

4.1 Deploying the Wazuh Manager on GCP

Deploy a Wazuh manager on a GCE instance using Debian:

gcloud compute instances create wazuh-manager --zone us-central1-a --machine-type e2-medium --image-family debian-11 --image-project debian-cloud

4.2 GCP Log Integration

Using Pub/Sub for Log Forwarding
Set up a Pub/Sub topic to forward logs to Wazuh. Deploy a function to subscribe to the topic and send logs to Wazuh:

import google.cloud.pubsub_v1 as pubsub
def callback(message):
    print(f"Received message: {message.data}")
    message.ack()

GCP Kubernetes Monitoring
Deploy Wazuh agents as DaemonSets in GKE clusters:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: wazuh-agent
spec:
  selector:
    matchLabels:
      name: wazuh-agent
  template:
    metadata:
      labels:
        name: wazuh-agent
    spec:
      containers:
      - name: wazuh-agent
        image: wazuh/wazuh-agent:latest
        env:
        - name: WAZUH_MANAGER_IP
          value: "YOUR_MANAGER_IP"

5. Best Practices for Multi-Cloud Security with Wazuh

Implement Centralised Monitoring
Use the Wazuh dashboard and Elasticsearch/Kibana for a unified view across AWS, Azure, and GCP. Configure dashboards for each environment to visualize specific alerts and incidents.
Use Automation Tools
Automate compliance checks and threat responses using scripting and Wazuh’s built-in modules. Set up CRON jobs to automate log collection and rule updates.
Configure Data Retention Policies
Optimize storage by configuring Elasticsearch data retention policies:

curl -X PUT "localhost:9200/_ilm/policy/wazuh_policy" -H 'Content-Type: application/json' -d'
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size": "50gb",
            "max_age": "30d"
          }
        }
      },
      "delete": {
        "actions": {
          "delete": {}
        }
      }
    }
  }
}'

6. Conclusion

Integrating Wazuh with AWS, Azure, and GCP provides a comprehensive, scalable, and efficient security solution for multi-cloud environments. By deploying Wazuh across these platforms, organisations can achieve a unified security posture that covers diverse workloads and services, ensuring consistent monitoring, threat detection, and compliance management.

Benefits of Using Wazuh in Multi-Cloud Environments

Unified Visibility and Centralised Management
Wazuh’s ability to integrate with multiple cloud providers allows organisations to have a centralised view of their entire infrastructure, regardless of the cloud service being used. This centralised approach simplifies the management of security incidents, compliance auditing, and monitoring, all from a single dashboard, reducing the complexity and costs associated with multi-cloud security.
Scalability and Flexibility
Wazuh is designed to scale efficiently, making it suitable for small deployments as well as large enterprise infrastructures. Organisations can easily deploy Wazuh agents across hundreds or even thousands of cloud instances using automation tools like Ansible or Azure CLI. Furthermore, its compatibility with Kubernetes allows it to monitor containerized workloads dynamically, ensuring that security expands in tandem with growing infrastructure.
Cost-Effective Security Solution
As an open-source platform, Wazuh eliminates licensing costs associated with traditional SIEM and XDR solutions. This is particularly beneficial for small and medium-sized enterprises (SMEs) that need robust security without incurring significant expenses. Additionally, Wazuh’s integration with cloud-native services leverages the existing infrastructure, further optimizing costs.
Automated Compliance and Auditing
Wazuh supports compliance frameworks such as PCI-DSS, HIPAA, and GDPR, providing built-in modules and automated auditing capabilities. This helps organisations continuously verify and demonstrate compliance across all cloud environments, reducing the effort required for manual auditing and minimizing the risk of non-compliance penalties.
Real-Time Threat Detection and Incident Response
Wazuh’s integration with cloud-native services like AWS GuardDuty, Azure Security Center, and GCP Security Command Center enhances its ability to detect threats in real-time. With real-time alerts and automated response capabilities, Wazuh enables organisations to quickly mitigate threats, reducing the potential damage from security incidents.
Extensive Customization and Integration Capabilities
Wazuh offers extensive customization options, allowing organisations to tailor alert rules, integrate third-party threat intelligence feeds, and automate response actions using custom scripts. It also supports integration with other security tools such as Elastic Stack for advanced log analysis and visualization, making it a versatile and adaptable component of any security architecture.
Strong Community Support and Documentation
As an open-source solution, Wazuh benefits from a strong and active community. Users have access to extensive documentation, forums, and guides that support both basic and advanced use cases. This community-driven approach ensures continuous development and improvement of the platform, providing users with the latest features and enhancements

By implementing Wazuh following the steps and best practices outlined, organisations can build a robust, scalable, and cost-effective security framework that maximizes the benefits of multi-cloud deployments. With its unified visibility, scalability, and real-time threat detection capabilities, Wazuh stands as a powerful tool for any organisation looking to secure its cloud infrastructure effectively.