brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-23 20:04:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2bbfceffbc588c800e3c7802fbab9ea626f8fc9
oam/knowledge base/wazuh/README.md
Michele Cereda 471fb307db chore(kb): improve articles about wazuh
2024-05-24 17:56:25 +02:00

81 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Wazuh
Open source security platform.<br/>
Provides unified XDR and SIEM protection for endpoints and cloud workloads.
1. [Components](#components)
1. [Indexer](#indexer)
1. [Server](#server)
1. [Dashboard](#dashboard)
1. [Agent](#agent)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## Components
| Component | Type | Description |
| --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Indexer | Central | Full-text search and analytics engine.<br/>Indexes and stores alerts generated by the server. |
| Server | Central | Analyzes data received from the agents.<br/>Can set up in a cluster.<br/>Manages the agents. |
| Dashboard | Central | Web UI for data visualization and analysis.<br/>Used to configure and monitor Wazuh. |
| Agent | Endpoint | Installed on monitored endpoints (i.e.: laptops, servers, cloud instances, virtual machines).<br/>Used for threat prevention, detection, and response. |
Wazuh can also monitor agent-less devices (e.g: firewalls, switches, routers) via Syslog, SSH or APIs.
![components and data flow](components%20and%20data%20flow.png)
### Indexer
Stores data as JSON documents.
_Indexes_ are collections of documents related to each other.<br/>
The stored documents are distributed across multiple different _shards_.<br/>
Shards are distributed on multiple nodes for redundancy.
Different indices store different event types.
| Index | Content | Notes |
| ------------------ | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| `wazuh-alerts` | Alerts generated by the server | Created each time an event trips a rule with a high enough priority. |
| `wazuharchives` | Events received by the server | Created whether or not events trip a rule. |
| `wazuhmonitoring` | Data related to the agent's status over time | Used by the web interface to show when individual agents are or have been _active_, _disconnected_, or _never connected_. |
| `wazuhstatistics` | Data related to the server's performance | Used by the web interface to show performance statistics. |
One can interact with the indexer cluster using its REST API.
### Server
TODO
### Dashboard
TODO
### Agent
TODO
## Further readings
- [Website]
- [Github]
### Sources
- [Documentation]
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
<!-- Files -->
<!-- Upstream -->
[documentation]: https://documentation.wazuh.com/current/
[github]: https://github.com/wazuh/wazuh
[website]: https://wazuh.com/
<!-- Others -->
Reference in New Issue View Git Blame Copy Permalink