I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.
The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.
Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.
It would be great to be able to use VictoriaLogs underneath instead of Elasticsearch. This would simplify the configuration and maintenance, since VictoriaLogs works optimally with default configs on any hardware. This will also help reducing hardware costs for large amounts of stored security logs, since VictoriaLogs usually needs up to 30x less RAM and up to 15x less disk space than Elasticsearch for the same amounts of logs. See https://itnext.io/how-do-open-source-solutions-for-logs-work... for details.
Kicked the tires on it, but the agent requirement was a no-go for me. Coming from Enterprise Infrastructure, mandating Yet Another Agent is already knocking your product down several grades versus those leveraging OpenTelemetry or standardized collectors and forwarders.
An agentless Nessus scan (man, I miss Nessus) gets you 90% of the way there for all but the most security-conscious organizations, and its agent is honestly kind of light and simple if I have to install it.
Wazuh does much more than Nessus, for instance you can instruct the agent to temporarily drop networking if you identify a compromised machine. Agentless scans will do nothing of the like.
I appreciate the different feature sets, but there's almost always another endpoint agent you can build that behavior onto/through in the modern enterprise. Posture control isn't exactly a unique feature, and my original opinion still stands: between CrowdStrike, Tanium, SentinelOne, Defender, AirWatch, New Relic, and OpenTelemetry, I've seen a web of similar-ish feature sets with agents alone consuming upwards of 10% of the machine's CPU power just in the background.
What's worse, Wazuh doesn't even fully replace any of those above agents, meaning it has to be yet another complimentary agent on the machine. No thanks, when New Relic + OpenTelemetry can feed me all of the machine's logs and monitoring statistics, while a competent ITAM/ITSM can alert on out-of-bounds posture and trigger network or Identity systems to shutdown access. Hell, I'm old enough to remember when basic log forwarding and SNMP traps were all that was needed to effectively monitor machines, before developers and vendors began locking stuff up behind new APIs or services they could monetize better.
Don't get me wrong, I want Wazuh to succeed because nobody should have to shell out thousands of dollars a month for basic security posturing and monitoring; right now though, Wazuh ain't it.
I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.
I used their docker based installation. Upgraded it a couple of times, takes me 1h each time (mostly because I am more of a PHB and not a devops)
Never had a single issue with indexes, though we only ingest 500k+ events per day for ~endpoints.
Don’t use email but notifications by Slack. Never had it fail in one year.
Honestly, I almost feel bad for the amount of value I’m getting for free. So I’m happy to give back: made an integration that recovers all Google Workdspace events (https://github.com/avanwouwe/wazuh-gworkspace) if anyone’s using Wazuh? I also plan on publishing my Chrome extension integration (behavioral analysis and malware and shadow it detection) in a couple of days!
TIL that SIEM, SCA, XDR (and more?) exist. Now to go and find out what they actually mean (and please don't point out that SIEM is already explained on their page).
Clearly parent could have phrased it more explicitly that he knows nothing about this field. But I also see downvoting him as a form of gatekeeping.
They're implying that you have a single agent which does the EDR (antivirus) and SIEM (logging) functionality instead of two separate agents. This is becoming more commonplace throughout the security industry as multiple agents can be burdensome from both a security and maintenance perspective.
I haven't used it, and can't speak to it being "top notch", but they're advertising it as a fully fledged endpoint product that even includes some things like FIM (File integrity Monitoring), which are usually only available as expensive add-ons or additional modules with traditional security products like McAfee.
If it were me, I would compare and contrast it's features and support with commercial offerings and see which one you feel the most comfortable with. There's a lot at stake when it comes to security. It's probably best not to let your decisions be 100% about up-front cost.
Some mailing lists at [1], like oss-security & kernel-hardening. CISA (Cybersecurity and Infrastructure Security Agency) [2] has a few different areas they report on. Mozilla has the dev-security-policy mailing list for all things PKI (public key infrastructure) [3], and a few other lists as well. There's the Full Disclosure [4] mailing list for vulnerabilities/exploits, etc. Quite a few others at [5], though sadly many are no longer active.
You have different areas of security. Sadly our space is full of grifters and wanna be security "experts". For a very technical security podcast I recommend Critical Thinking Bug Bounty [1].
When I see a project of this complexity advertise itself as "open source' these days my first thought is the rug pull. Will this STAY free, or turn into an eventual cash grab one it's insinuated itself so deeply into your environment that it would be hard to replace?
Well your other choice is you pay for a non open source SIEM that's $10 per endpoint per month and cross your fingers that they don't do a rugpull and start charging you $20 after it's insinuated itself into your environment is hard to replace..
With an Open Source project you at least have the possibility that if it has enough users and companies using it then someone will fork the code if the company ever makes it closed source and keep the project going.
My first thought isn't the "rug pull" but rather that the real product being produced by the "FOSS company", from the get go, are the expensive support contracts.
Two different business models:
- Sell a great+differentiated product, support is ~free and rarely needed
- Give a away a terrible product (usually an over-engineered CRUD), constant $upport is required to use it effectively
[1] - https://www.ossec.net/