Wazuh Components Security
31 views
Skip to first unread message
Max
May 18, 2026, 11:54:21 PM (4 days ago) May 18
to Wazuh | Mailing List
Hi All,
I want to ask in the event of a security breach and the target are Wazuh Components
From Wazuh Agent -> Wazuh Manager -> Filebeat -> Wazuh Indexer -> Wazuh Dashboard
I want to ask in the event of a security breach and the target are Wazuh Components
From Wazuh Agent -> Wazuh Manager -> Filebeat -> Wazuh Indexer -> Wazuh Dashboard
What happens if any of these components get compromised?
What kind of security measures are put in place between components from just out of the box installation?
I tried looking for documentation within the official Wazuh Documentation but havent found any regarding this topic, would be nice to have one for it though: "Securing the Wazuh cluster"
I tried looking for documentation within the official Wazuh Documentation but havent found any regarding this topic, would be nice to have one for it though: "Securing the Wazuh cluster"
In anycase thanks for the answers if there are any.
Best Regards,
Max
Best Regards,
Max
ismail....@wazuh.com
May 19, 2026, 1:17:11 AM (4 days ago) May 19
to Wazuh | Mailing List
Hi,
Thank you for raising this critical point. Analyzing component-level threats is an essential exercise when designing and operating a resilient security platform like Wazuh.
Wazuh is designed with a security-first architecture, incorporating encrypted communications, authenticated agent enrollment, and role-based access control across its core components. This ensures that, by default, the platform provides a strong baseline of protection for log collection, analysis, and storage workflows. However, like any distributed security platform, its overall resilience is significantly strengthened when deployed with proper infrastructure hardening and operational security practices.
Below is a structured breakdown of the Wazuh security model, communication protections, and impact analysis in case of component compromise.
Wazuh Default Security Model (Out-of-the-box)
Wazuh is built on a distributed architecture with layered security controls, primarily based on TLS encryption, authentication keys, and role-based access control.
Communication Security:
-
Agent ↔ Manager
- Uses agent authentication keys for enrollment
- Communication is encrypted (TLS support depending on deployment configuration)
- Agents are explicitly registered before acceptance
-
Manager ↔ Filebeat
- Local communication on the host
- Protected through OS-level permissions and service isolation
-
Filebeat ↔ Indexer
- Secured using HTTPS (TLS encryption)
- Authentication via username/password or TLS certificates (recommended)
-
Indexer ↔ Dashboard
- Secured via HTTPS (TLS)
- Controlled using RBAC (role-based access control)
Access Control & Isolation
- Services run under dedicated system users
- Indexer enforces RBAC for index-level access control
- Dashboard access is controlled via Indexer authentication and roles
Impact Analysis: If a Component is Compromised
Agent Compromise (Endpoint level)
Attacker can:
Attacker can:
Attacker can:
Attacker can:
Attacker can:
Agent Compromise (Endpoint level)
Attacker can:
- Manipulate or spoof logs from the affected endpoint
- Stop or disable the agent service
- Limited to the compromised host
- Manager only accepts authenticated and registered agents
Attacker can:
- Modify rules, decoders, and detection logic
- Push malicious configurations to connected agents
- High impact on detection integrity and monitoring accuracy
- Downstream systems remain protected via TLS and authentication layers
- No direct access to Indexer storage layer
Attacker can:
- Interrupt or modify log forwarding
- Affects only new data ingestion
- Write-restricted credentials to Indexer indices
- No access to Manager control plane or historical data
Attacker can:
- Read, modify, or delete stored security data
- Perform data exfiltration or tampering
- Severe impact on confidentiality and integrity of logs
- RBAC enforcement
- Network segmentation
- TLS and certificate security
- Restricted API exposure
Attacker can:
- Access dashboards and security visualizations
- Perform actions permitted by assigned RBAC roles
Limitation:
No direct access to agents or underlying OS-level infrastructure
Impact depends on:
- RBAC configuration in Indexer
- Exposure of privileged credentials
Recommended Hardening Practices:
From a deployment perspective, it is strongly recommended to implement standard Linux hardening measures across all Wazuh nodes (Manager, Indexer, and Dashboard). This includes minimizing installed packages, disabling unnecessary services, enforcing secure SSH configurations, applying kernel and OS security updates regularly, and enabling auditing mechanisms such as auditd.
In addition, inter-component communication should be strictly restricted to required ports only (e.g., 1514/1515 for agents and 9200/443 for Indexer/Dashboard), with firewall rules or security group policies enforcing tight network segmentation to reduce the attack surface. Please refer https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports.
Furthermore, for production-grade security, organizations should adopt PKI-based certificate management using their own trusted CA instead of relying solely on default or self-signed certificates. This improves trust control and enables proper certificate rotation policies. It is also strongly recommended to operate Wazuh on the latest stable version, ensuring all security patches, bug fixes, and upstream improvements are applied promptly.
Additional best practices include:
Please follow the below document for reference:
https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports
https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/configuring-third-party-certs/ssl.html
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/index.html
https://osintph.medium.com/understanding-wazuh-the-free-open-source-security-platform-for-xdr-siem-48b3c3dfba9d
https://documentation.wazuh.com/current/release-notes/index.html
From a deployment perspective, it is strongly recommended to implement standard Linux hardening measures across all Wazuh nodes (Manager, Indexer, and Dashboard). This includes minimizing installed packages, disabling unnecessary services, enforcing secure SSH configurations, applying kernel and OS security updates regularly, and enabling auditing mechanisms such as auditd.
In addition, inter-component communication should be strictly restricted to required ports only (e.g., 1514/1515 for agents and 9200/443 for Indexer/Dashboard), with firewall rules or security group policies enforcing tight network segmentation to reduce the attack surface. Please refer https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports.
Furthermore, for production-grade security, organizations should adopt PKI-based certificate management using their own trusted CA instead of relying solely on default or self-signed certificates. This improves trust control and enables proper certificate rotation policies. It is also strongly recommended to operate Wazuh on the latest stable version, ensuring all security patches, bug fixes, and upstream improvements are applied promptly.
Additional best practices include:
- Network segmentation between Wazuh tiers (Agent, Manager, Indexer, Dashboard)
- Enforcing least-privilege RBAC policies
- Restricting Indexer API exposure
- Implementing secure backup and snapshot strategies
- Continuous monitoring of the Wazuh infrastructure using File Integrity Monitoring (FIM) and system-level logs
Please follow the below document for reference:
https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports
https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/configuring-third-party-certs/ssl.html
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/index.html
https://osintph.medium.com/understanding-wazuh-the-free-open-source-security-platform-for-xdr-siem-48b3c3dfba9d
https://documentation.wazuh.com/current/release-notes/index.html
I hope it helps. Please let us know if you have any further questions or concerns.
Regards,
Reply all
Reply to author
Forward
0 new messages