Wazuh – open-source Security Platform

(wazuh.com)

74 points | by LorenDB 3 days ago ago

33 comments

  • stevenAthompson 2 minutes ago

    When I see a project of this complexity advertise itself as "open source' these days my first thought is the rug pull. Will this STAY free, or turn into an eventual cash grab one it's insinuated itself so deeply into your environment that it would be hard to replace?

  • krunck 2 hours ago

    This is built upon OSSec[1]. While it works ok, with Elastic underneath it's far too much maintenance for my 30 servers.

    [1] - https://www.ossec.net/

    • ArnoVW 2 hours ago

      There is a hosted offering https://wazuh.com/cloud

      I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.

      The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.

    • yabones 2 hours ago

      Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.

  • cyberpunk 5 hours ago

    Spoiler alert: agent based. Ran it before, was a maint burden of the first order.

    • deskr 4 hours ago

      It's not exactly the surprise of the century that running your own services, let alone a security platform, requires maintenance.

      What was it specifically that made it a "maint burden of the first order?"

      • JediPig an hour ago

        I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.

        I have built from ground up 2 SIEMS.

    • thesuitonym 3 hours ago

      I know of no similar package that isn't agent based, at least when it comes to endpoints. I'd be happy to hear an alternative, though.

    • ArnoVW 2 hours ago

      There is an agentless option that just requires ssh access. Not something I’d prefer from a security point of view, but it’s possible.

    • lfkdev 2 hours ago

      Agent based is not really a big burden, most monitoring systems work like this (Prometheus). Companys use Ansible etc.

    • rafaelalb 5 hours ago

      Why was it a burden?

    • heraldgeezer 3 hours ago

      Did you think it was set and forget? There is a reason companies have entire SOC teams only looking at EDR and SIEM.

      What SIEM did you move to that was less of a burden?

  • arnejenssen 5 hours ago

    It is mind-blowing that such a good SIEM (Security information and event management) software can be free.

    • alias_neo 3 hours ago

      I'd like to give you a virtual cookie, for being the only person in the comments so far to spell out what SIEM stands for.

      I appreciate you.

      • EatFlamingDeath 3 hours ago

        Seriously, this is getting out of hand in the cybersecurity space. SAST, DAST, SBOM, WAF, SOAR, TPRM, NGFW, MSSP...

        • conception 2 hours ago

          I noticed that in ‘22 there was a solid shift from three letter acronyms to four. Madness.

  • ThinkBeat 2 hours ago

    I am not familiar with the term.

    "Universal agent" is some form of antivirus, ransomware software like ESET, or McAffee?

    Or does the universal agent listen to "endpoint security, somebody elses antivirus that reports what it finds up the chain?

    And the next step is that the data gets to the server, is parsed, stored etc and present on a nice gui?

    "Someone proped computer3 with a known exsploit at (somedatetime)" ?

    • stevenAthompson 4 minutes ago

      They're implying that you have a single agent which does the EDR (antivirus) and SIEM (logging) functionality instead of two separate agents. This is becoming more commonplace throughout the security industry as multiple agents can be burdensome from both a security and maintenance perspective.

    • lfkdev 2 hours ago

      As far as I know it's just a node exporter, similar to prometheues node-exporter

  • bigblackrooster an hour ago

    What is the good alternative to this? McAffee? AVAST? Kaspersky?

  • jaderobbins1 3 hours ago

    Can some folks in the cybersecurity arena recommend some good email newsletters, websites, blogs, accounts, etc to follow to keep up in the space?

  • lousken 6 hours ago

    Building on top of elastic was an easy win. However, SCAs need a lot more love. Some of them are wrong/outdated, while many are missing.

  • pphysch 38 minutes ago

    What net benefits does a full blown "SIEM" add over a simple log database w/ alerting support?

  • lionkor 6 hours ago

    > Unified XDR and SIEM protection for endpoints and cloud workloads

    Guess IDC ABT this. Jokes aside, read the page, still don't know if I care about this or need it...

    • amne 5 hours ago

      TIL that SIEM, SCA, XDR (and more?) exist. Now to go and find out what they actually mean (and please don't point out that SIEM is already explained on their page).

      Clearly parent could have phrased it more explicitly that he knows nothing about this field. But I also see downvoting him as a form of gatekeeping.