• Home
• App Integrations
• SIEM Integrations
• Wazuh SIEM Integration

Wazuh SIEM Integration Setup

---

Wazuh is an open-source platform for threat detection, analysis log data, and compliance that integrates with SIEM. miniOrange provides secure access and full control to Wazuh for enterprises and applications. With the help of the given guide you can configure Wazuh easily.

1. Create a user account for API authentication

• Log into your Wazuh dashboard as an admin.
• Click on the hamburger menu icon present on the left top section.
• Navigate to Server Management > Security.
• Click on the Create User button under the User tab.
• Provide any username and password.
• You can keep the Allow run as option disabled.
• Select the user role as administrator and click on the Apply button.



• Configure the above username and password in miniOrange to sync the audit logs.

2. Add a rule to use JSON decoder

• From your Wazuh admin dashboard, open the left menu option.
• Navigate to Server Management > Rules.
• Click on the Add new Rules file button.



• Provide any file name and add the following rules in the provided area:

                
                  <group name="audit">
                    <rule id="222001" level="4">
                      <decoded_as>json</decoded_as>
                      <description>miniOrange Audit messages</description>
                    </rule>
                  </group>
                
              

  
  

  Note: If the rule id 222001 is already assigned to a different rule in your Wazuh instance, you can set any other rule id above. You can also change the log level as per your requirement.

  
  



• Finally click on the Save button.
• After saving, click on the Restart button when prompted on your Wazuh dashboard.

3. Configure Wazuh API Endpoint in miniOrange

• Login into miniOrange Admin Console.
• Go to SIEM Management and click on Configure button.



• Select Wazuh siem tool and click on next.



• Provide the name for the SIEM tool.
• Make sure to enter the Endpoint URL.

Wazuh follows below url format in order to receive the logs

Endpoint url format: https://serverl-base-url:55000/events



• Make sure to add Username and Password created using WAZUH Dashboard.
• In order to save the Wazuh SIEM configuration click on save.



• Click on activate toggle button in oder to active the SIEM Tool.






Note:

Superadmin can also activate the SIEM tool for customers using the Manage activation options. Admin can either activate the SIEM tool for all the customers using Activate For all customers option or can activate for individual customers using manage activation option available under the actions menu by clicking on 3 dots.
Please follow this guide to know more.





• Select Activate For All Customers :
• Superadmin can toggle Activate For All Customers to enable the SIEM tool for all tenants in one action.



• Select Manage Activation :
• Superadmin can use Manage Activation to selectively enable the SIEM tool for individual customer accounts.

4. Monitor Logs in the Wazuh Dashboard

• Now login to Wazuh dashboard to monitor all the logs.

In Wazuh Dashboards Discover logs you should be able to see the logs captured.