Understanding Wazuh Architecture

Urvesh Thakkar
2 min readMay 15, 2023


Welcome to my second article in the Wazuh SIEM series. In my previous post, I introduced you to Wazuh, an open-source Security Information and Event Management (SIEM) solution.

Today, I will delve deeper into the structure of Wazuh, exploring its architecture and integral components. I aim to make this article highly informative, yet easy to comprehend, even if you’re a beginner. So, let’s get started!

Wazuh’s architecture is adaptable, scalable, and cross-platform, making it a good fit for businesses of all sizes. The architecture consists of the Wazuh server, the Elastic Stack, and the Wazuh agents.

1. Wazuh Server — The Wazuh server is crucial to the design. The data collected by the Wazuh agents is analyzed and correlated by this system. The server is responsible for many tasks, such as:

  • Analyzing and standardizing log data from multiple sources is what log analysis is all about.
  • Monitoring for file system changes, often known as File Integrity Monitoring (FIM).
  • Detecting a rootkit entail looking for unusual behavior in the system, such as the presence of hidden processes or libraries.

2. Elastic Stack — When it comes to indexing, storing, and visualizing data, Wazuh relies heavily on Elastic Stack (formerly known as ELK Stack: Elasticsearch, Logstash, and Kibana).

  • Elasticsearch is a robust database management system (DBMS) and search and analytics engine (SAS).
  • Logstash is in charge of handling warnings and events before sending them on to Elasticsearch.
  • Kibana is an application for viewing and interacting with indexed data, and it has a user-friendly interface.

3. Wazuh Agents — Wazuh agents are small, lightweight software packages that get installed on the devices being monitored. Log information is gathered, examined, and sent on to the Wazuh server. The agents are compatible with Windows, Linux, and macOS, among others.

The Wazuh architecture features an ongoing workflow:

  • Collection — System and application logs, file integrity data, and more are just some of the types of information that Wazuh agents collect from the monitored endpoints.
  • Analysis — The gathered information is sent to the Wazuh server, where log analysis, integrity testing, and rootkit identification are performed.
  • Forwarding — After processing, the data is sent to Logstash, where it is further enhanced before being stored in Elasticsearch.
  • Visualization — Kibana is then used to view the stored data, making it simple for users to perform tasks like exploring, analyzing, and reporting on their data.

To sum up, getting a handle on Wazuh SIEM’s architecture is essential for making the most of the platform. My next piece will focus on installing and getting started with Wazuh. Hold tight!