Wazuh: SIEM, EDR and compliance platform for the regulated mid-market

What is Wazuh?

Wazuh is a comprehensive, GPL-2 licensed SIEM and endpoint detection and response (EDR) platform developed since 2015 from the OSSEC fork. It is run by the US company Wazuh Inc. headquartered in San Jose and is in May 2026 the leading open-source alternative to commercial SIEM platforms like Splunk Enterprise Security, IBM QRadar, and Microsoft Sentinel.

The platform covers three core areas: (1) Security Information and Event Management (SIEM) with central log aggregation, correlation, and alert engine; (2) Endpoint Detection and Response (EDR) with agent-based real-time monitoring of file integrity, configuration changes, unusual processes, rootkits; (3) compliance automation with pre-built reports for PCI-DSS, HIPAA, GDPR/revFADP, NIST 800-53, TSC SOC 2, ISO 27001.

Architecture consists of four components. The Wazuh Agent runs on every monitored endpoint (Linux, Windows, macOS, Solaris, AIX, HP-UX), collects logs and events, runs vulnerability scans, checks file integrity via syscall hooks. The Wazuh Manager receives events from all agents, runs correlation, and decides alerts. Wazuh Indexer (based on OpenSearch) stores events for search and forensics. Wazuh Dashboard (based on OpenSearch Dashboards) delivers the UI with dashboards, reports, compliance status views.

As of May 2026 Wazuh is stable in version 4.x with active development. Setup time for a productive deployment ranges 2-5 working days depending on number of agents and compliance requirements. Hardware need: Manager and Indexer take around 8 GB RAM, 4 vCPU, 200 GB storage for log retention at 50 agents. At 500 agents this scales to cluster setup with 3+ Indexer nodes and dedicated Manager.

The GPL-2 license allows full commercial own-operation. Wazuh Inc. additionally offers Wazuh Cloud (managed hosting) from USD 1500 per month for 25 agents -- often the pragmatic choice for Swiss SMEs with compliance duties versus own operation.

Why it matters for regulated Swiss fiduciaries and law firms

Wazuh becomes the right choice for three concrete Swiss SME scenarios in May 2026.

Compliance duty with audit-trail requirement: a 50+ staff law firm with clients from pharma, banking, or insurance is indirectly subject to their compliance duties (PCI-DSS on credit card data, HIPAA on US pharma clients, ISO 27001 if clients require it). Wazuh delivers pre-built compliance dashboards with mapping of security events to the respective control requirements. Auditors accept Wazuh reports as proof. A self-built audit trail with Loki/Grafana requires significantly more mapping effort.

File integrity monitoring for client files: law firms with professional secrecy under Art. 321 SCC must be able to prove who accessed or modified which client file when. The Wazuh agent monitors file system paths via syscall hooks and alerts on every change. On suspicion (suspicious change at 3 a.m., access by an account without client authorisation) an alert is generated immediately. That is the substance behind the duty of care of Art. 717 CO.

Vulnerability detection at endpoint level: Wazuh scans all agents daily for known CVEs in installed packages (apt, yum, npm, pip) and compares with the National Vulnerability Database. At a fiduciary with 30 workstations, 5 servers, and diverse software stacks, this is the only practical way to continuously maintain patch status per machine. EU DORA explicitly requires documented vulnerability management, ISO 27001 likewise.

The lower boundary is critical: a 10-person fiduciary without banking or pharma mandates does not need Wazuh. CrowdSec plus Lynis plus Grafana/Loki deliver 80 percent of the functionality at 10 percent of the effort. Wazuh becomes sensible at 50+ staff, external compliance duty, or with clients from regulated industries. The threshold is stable in May 2026 -- the cloud variant has lowered the entry barrier, but operationally and conceptually Wazuh remains a demanding tool.

Architecture and Docker Compose setup

Wazuh runs productively in May 2026 as a Docker Compose stack with four containers. The official wazuh-docker distribution delivers the ready setup.

```yaml version: "3.8" services: wazuh-manager: image: wazuh/wazuh-manager:4.9.0 hostname: wazuh-manager restart: always ulimits: memlock: { soft: -1, hard: -1 } nofile: { soft: 655360, hard: 655360 } ports: - "1514:1514" - "1515:1515" - "514:514/udp" - "55000:55000" environment: - INDEXER_URL=https://wazuh-indexer:9200 - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretAdminPass2026 volumes: - wazuh_etc:/var/ossec/etc - wazuh_logs:/var/ossec/logs - wazuh_queue:/var/ossec/queue wazuh-indexer: image: wazuh/wazuh-indexer:4.9.0 hostname: wazuh-indexer restart: always environment: - OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g volumes: - wazuh-indexer-data:/var/lib/wazuh-indexer wazuh-dashboard: image: wazuh/wazuh-dashboard:4.9.0 hostname: wazuh-dashboard restart: always ports: - "443:5601" environment: - INDEXER_USERNAME=admin - INDEXER_PASSWORD=SecretAdminPass2026 - WAZUH_API_URL=https://wazuh-manager depends_on: - wazuh-indexseeds-indexer ```

Agent installation on a monitored server (Ubuntu example): ```bash WAZUH_MANAGER="wazuh-manager.treuhand-müller.ch" apt install wazuh-agent systemctl enable --now wazuh-agent ```

Key modules per agent: (1) Log Analysis reads /var/log/auth.log, /var/log/nginx, /var/log/postfix; (2) File Integrity Monitoring watches /etc, /usr/bin, /var/www via syscall hooks; (3) Rootcheck checks for known rootkit patterns; (4) Vulnerability Detector compares installed packages against NVD; (5) System Configuration Assessment checks CIS benchmark conformity (300+ checks).

Compliance dashboards are out of the box. In Dashboard under Modules > PCI DSS you see all events that map to a PCI requirement (e.g. Requirement 10.2.1 -- audit trail on data access). Similarly for HIPAA, GDPR, NIST 800-53.

Integrations: VirusTotal API on file hashes, AlienVault OTX for threat intel, Slack/Telegram/Email for alerts, ServiceNow/Jira for incident ticketing.

Wazuh setup in 5 steps

1. 01Hardware planning: Manager and Indexer dedicated VM with 8 GB RAM, 4 vCPU, 500 GB SSD per 50 agents; at 100+ agents cluster with 3 Indexer nodes.
2. 02Stack deployment via wazuh-docker or packages; generate TLS certificates for Manager-Agent communication; switch Dashboard login to Authentik/Authelia SSO.
3. 03Install agents on all monitored servers and workstations; set Manager address; activate modules: log_analysis, syscheck (FIM), rootcheck, vulnerability_detector, sca.
4. 04Configure compliance dashboards: PCI-DSS/HIPAA/GDPR/ISO 27001 per duty; add custom rules for Swiss law (revFADP, Art. 321 SCC, Art. 957a CO).
5. 05Alert tuning and integration: send alerts to Telegram/Slack, connect ServiceNow/Jira ticketing, set 1-2 weeks observe mode with severity thresholds, then enforce.

When Wazuh is the right choice

Wazuh is recommended in four concrete scenarios in May 2026.

Mid-size law firm or fiduciary with 50+ staff: simple tools (CrowdSec, Lynis) no longer suffice here -- the audit effort for compliance reports becomes a full-time job when maintained manually. Wazuh automates PCI-DSS/ISO 27001 documentation. ROI realistically from year 2 with cyber insurance premium reduction and avoided audit costs.

Clients in regulated industries: a law firm with banking clients is indirectly subject to FINMA auditor requirements -- clients demand proof. A fiduciary with pharma clients must show HIPAA conformity at least in areas where client data is touched. Wazuh delivers compliance dashboards as an integral component.

ISO 27001 certification as target: ISO 27001 explicitly requires monitoring (Annex A.12.4), vulnerability management (Annex A.12.6), incident management (Annex A.16). Wazuh covers all three in one tool. An auditor sees the Wazuh dashboard and accepts the evidence -- a self-built stack of Grafana plus custom scripts requires significantly more explanation.

File integrity monitoring for client files: as soon as you need to prove that a particular file has not been modified since X, or that only authorised persons had access, you need file integrity monitoring with syscall hooks. Wazuh delivers that with setup effort of a few hours per path configuration.

For May 2026 Swiss SME setups below 50 staff without external compliance duty: not recommended. Setup effort 2-5 days plus monthly 8-15 hours maintenance exceeds the benefit. CrowdSec plus Lynis plus Grafana/Loki is the right choice.

When Wazuh is disproportional

Three cases where Wazuh is the wrong choice.

Small fiduciary under 20 staff: setup time 2-5 days, ongoing maintenance 8-15 hours per month -- that is 1-2 days of additional work per month. In a 10-person office that equals 10 percent of an IT manager's workload, usually not available at this size. CrowdSec plus Lynis is the matching layer: 4-6 hours setup, 2-4 hours maintenance per month.

Solo self-employed or 1-3 person setup: here Wazuh is completely oversized. The toolset (Manager plus Indexer plus Dashboard) needs 8 GB RAM and 4 vCPU just for itself before a single agent is connected. On a solo client portal server, this is not justifiable.

Compliance-strict offline duty without cloud indexer link: Wazuh Indexer (OpenSearch) ideally needs a 3-node cluster in productive setups. Anyone setting that up in a strictly isolated data room has high operations effort. Alternative: Wazuh Manager with local single-node Indexer suffices functionally but is not a high-availability setup.

General pitfalls in Wazuh deployments: (a) Indexer storage not adequately planned -- at 50 agents quickly 5-10 GB logs per day, index retention of 90 days needs 500-1000 GB. (b) Alert tuning neglected -- Wazuh is very talkative out of the box, hundreds of alerts per day, burnout of the security manager is realistic. (c) Agent updates not automated -- at 100 agents manual maintenance becomes a full-time job. (d) Compliance dashboards without customising for Swiss law -- out-of-the-box reports are designed for US/EU law, revFADP mapping must be self-built.

Trade-offs

FAQ

Related topics

Sources

1. Wazuh Documentation -- Architecture and Setup · 2026-05
2. Wazuh GitHub -- v4.9 release notes · 2026-04
3. CIS Benchmarks -- Wazuh SCA module reference · 2026-03
4. NIST National Vulnerability Database · 2026-05
5. ISO/IEC 27001:2022 -- Annex A controls · 2026-02