Key Takeaways
- Wazuh is a production-grade open source SIEM and XDR platform: log management, threat detection, FIM, vulnerability detection, compliance reporting. Zero license fees.
- Why it fits Indian SMBs: commercial SIEM (Splunk, QRadar, Sentinel) easily costs INR 25 lakh to 1 crore per year just in licensing. Wazuh removes that line item, freeing budget for actual SOC operations.
- Architecture: Wazuh manager (correlation, rules), Wazuh indexer (Elasticsearch/OpenSearch fork), Wazuh dashboard (Kibana fork), Wazuh agents on endpoints, network device log forwarders.
- Typical SMB deployment: 2-3 weeks from infrastructure provisioning to first detection alerts. Codesecure handles the deployment plus 24x7 managed operations.
- Production scale: a single Wazuh manager handles 500-2000 agents comfortably. Multi-manager clusters scale further. Indian SMBs rarely need more than single-manager for years.
Why Wazuh, Not Splunk or Sentinel, for Indian SMBs
Indian SMBs facing customer due diligence, compliance audits or actual cyber risk increasingly need a SIEM. The traditional options (Splunk Enterprise Security, IBM QRadar, Microsoft Sentinel) carry licensing costs that put them out of reach for businesses under INR 50-100 crore revenue. Splunk easily costs INR 25 lakh to 1 crore per year just in licensing for typical SMB log volume; Sentinel is consumption-priced and creeps up with ingestion; QRadar requires significant upfront investment plus annual support.
Wazuh is a production-grade open source SIEM and XDR platform that delivers the same core capabilities: log management, threat detection rules, file integrity monitoring (FIM), vulnerability detection, regulatory compliance reporting, audit-ready logging. The license is open source (GPLv2); there are no per-GB ingestion fees, no per-endpoint licensing, no enterprise tier paywalls.
What you trade off for the cost saving is operational responsibility: Wazuh does not come with a managed cloud tenant where everything works out of the box. You (or your service provider) deploy, configure, tune, operate, patch, scale. For Indian SMBs the math is straightforward: pay a managed SOC partner like Codesecure who runs Wazuh on your behalf, total cost still far below commercial SIEM licensing alone.
Wazuh Architecture: Components and How They Fit Together
Wazuh Manager
The brain of the deployment. Runs detection rules, correlates events from multiple sources, manages agents, generates alerts, executes active response. Single-server deployment fine for SMBs (under 500-1000 agents); multi-manager cluster for larger scale. Typical SMB sizing: 4-8 vCPU, 16-32 GB RAM, 200-500 GB storage. Runs on Linux (RHEL/CentOS, Ubuntu, Debian, Amazon Linux).
Wazuh Indexer (Elasticsearch/OpenSearch Fork)
Stores the log data and search indices. Originally based on Elasticsearch, now standardised on OpenSearch (open source fork) to avoid Elastic licensing changes. Storage scales with retention: typical 30-90 days hot retention plus 6-12 months cold via snapshot to S3 or similar. SMB sizing: 1-3 indexer nodes with 8 vCPU / 32 GB RAM / 1-3 TB SSD each, scaling with log volume.
Wazuh Dashboard (Kibana Fork)
Web UI for browsing logs, viewing alerts, managing rules, generating reports. Kibana fork now standardised as OpenSearch Dashboards. SMBs typically run the dashboard on the same server as the manager or on a dedicated 2-4 vCPU / 8 GB RAM VM.
Wazuh Agents
Lightweight agents installed on endpoints: Windows, Linux, macOS, Solaris, AIX, HP-UX. Collect log data, perform FIM, vulnerability detection, configuration assessment, command and rootcheck. Network footprint per agent: typically 1-10 KB per second for normal activity. CPU overhead 1-3 percent. Memory 50-150 MB. Agent installation: package per platform, master configuration pushed from manager.
Log Forwarders (Network Devices and Cloud)
Network devices (firewalls, switches, routers) and cloud services do not run agents. They forward logs via syslog (UDP/TCP 514) or via cloud-native methods. Wazuh manager receives and parses these. Common log sources: Cisco/Palo Alto/Fortinet firewalls, F5 load balancers, AWS CloudTrail, Azure Activity Log, GCP Audit Log, Office 365 Unified Audit Log, Google Workspace Admin Logs.
Need a Managed SOC for Your SMB?
Codesecure runs Managed SOC for Indian SMBs using Wazuh + TheHive + n8n + Cortex + MISP open source stack. 24x7 named India-based analysts, fixed-fee monthly retainer, no expensive licensing. ISO/IEC 27001:2022 certified delivery.
See SOC for SMBs →Deployment Steps for Indian SMB
Codesecure standard Wazuh deployment phase for Indian SMB clients (2-3 weeks end to end):
Week 1: Infrastructure and Manager Setup
Provision VMs (on AWS/Azure/GCP, on-premise VMware/Proxmox, or hybrid). Install Wazuh manager, indexer, dashboard following Wazuh quick-start scripts. Configure TLS certificates (Let's Encrypt for public dashboard, internal CA for agent communications). Initial network segregation: dashboard on private subnet plus VPN access only; agents communicate to manager on port 1514 (registration) and 1515 (data); no inbound internet exposure of agents or manager.
Week 2: Agent Rollout and Log Source Onboarding
Mass agent deployment via Group Policy (Windows), Ansible/Puppet/Salt (Linux), Mobile Device Management (macOS). Initial agent rollout typically 80-90 percent in week 2; long tail of laptops with intermittent connectivity continues for 2-4 weeks. Log source onboarding: configure syslog forwarders on network devices, set up cloud log integrations (AWS CloudTrail to S3 to Wazuh, Azure Monitor to Event Hub to Wazuh). Test event flow.
Week 3: Detection Rules, Dashboards, Reporting
Enable Wazuh ruleset (covers 5000+ default rules). Tune for false positives (suppress noisy rules for your environment, adjust thresholds, exclude expected behaviour). Configure MITRE ATT&CK technique mapping (Wazuh has built-in ATT&CK rule tagging). Build executive dashboards (failed logins, alert trends, top users, top sources). Configure scheduled reports (daily security summary, weekly compliance, monthly executive). Codesecure typically delivers 11 standard report templates as part of the SOC engagement.
Beyond Week 3: Tuning and Operations
First 30 days post-go-live: high false-positive rate (typically 30-50 percent) as detection rules meet your environment for the first time. Disciplined tuning reduces this to under 20 percent within 90 days. Continuous activities: alert triage by 24x7 analysts (or your team), incident response per pre-approved playbooks, monthly metrics review, quarterly tuning, annual ATT&CK coverage gap analysis.
Wazuh Capabilities That Matter for Indian SMBs
Log Management and Search
Ingest logs from any source, parse and normalise via decoders, search across all sources using Kibana Discover-style UI. Storage retention configurable per log type (30 days for verbose endpoint logs, 1 year for security-critical sources, 6 years for HIPAA-relevant logs). Critical for SOC 2 Type 2 audits which sample evidence across observation period.
Threat Detection Rules
5000+ built-in rules covering Windows event logs, Linux syslog, network devices, cloud services, application logs. Rules mapped to MITRE ATT&CK techniques. Custom rules using Wazuh rule language (XML-based with regex and decoder integration). Codesecure typically adds 30-50 client-specific custom rules during deployment.
File Integrity Monitoring (FIM)
Monitor critical files and directories for changes (creation, modification, deletion, permission changes). Real-time monitoring on Linux (inotify), scheduled scanning on Windows. Critical for PCI DSS Requirement 11.5, HIPAA, ISO 27001 A.8.16. Common monitored paths: /etc, /bin, /sbin on Linux; C:\Windows\System32, C:\Program Files on Windows.
Vulnerability Detection
Wazuh agents collect installed software inventory; manager correlates against CVE feeds (NVD, vendor advisories) to identify known vulnerabilities on each endpoint. Continuous monitoring without scanning network overhead. Reports identify which endpoints have specific CVEs, prioritised by severity and exploit availability.
Configuration Assessment (CIS Benchmarks)
Built-in policies for CIS Benchmarks (Windows, Linux, AWS, Azure, Docker, Kubernetes). Wazuh agents periodically assess endpoint against benchmark and report compliance score. Useful for SOC 2 CC8 evidence and ISO 27001 A.8.9 (configuration management).
Active Response
Automated response actions triggered by detection rules. Examples: temporarily block IP at firewall, disable user account, isolate host, kill process. Codesecure carefully scopes active response in client engagements: most clients prefer human-in-the-loop for any disruptive action; automated active response reserved for clear-cut cases (block known-bad IP, disable account on impossible travel).
Frequently Asked Questions
How does Wazuh compare to Splunk or Microsoft Sentinel in capability?
For core SIEM use cases (log management, threat detection, FIM, compliance reporting), Wazuh delivers equivalent capability. Wazuh has stronger built-in endpoint capabilities (FIM, vulnerability detection, configuration assessment) than either Splunk or Sentinel. Splunk has more mature search language (SPL) and a larger third-party app ecosystem. Sentinel has tighter Microsoft 365 / Azure integration. For Indian SMBs the question is rarely 'which has more features' but 'which is operationally viable at our scale and budget' — and that overwhelmingly favours Wazuh.
What does Wazuh actually cost to run for an Indian SMB?
Wazuh software license: zero. Infrastructure cost: INR 25K-1L per month for typical SMB scale on AWS/Azure/GCP (Wazuh manager, indexer, dashboard, log storage). Codesecure managed SOC service running on top: INR 1L-3L per month depending on scope, retention and analyst coverage. Compare to Splunk Enterprise Security licensing alone at INR 25 lakh-1 crore per year; Wazuh + Codesecure managed service typically lands 60-80 percent cheaper than commercial alternative while delivering equivalent SOC capability.
Can Wazuh handle Indian compliance requirements (ISO 27001, RBI, DPDP, PCI)?
Yes. Wazuh produces audit-ready evidence for ISO 27001 (Annex A.8.15-A.8.16 logging and monitoring), SOC 2 (Common Criteria CC7 system monitoring), PCI DSS (Requirement 10 log management, Requirement 11.5 FIM), HIPAA (164.312(b) audit controls), RBI Cyber Security Framework (continuous monitoring requirements). Codesecure managed SOC packages include 11 report templates aligned to these frameworks.
Does Wazuh require specialist consultants to operate, or can we run it in-house?
Both are viable. Wazuh Implementation engagement: we deploy the full stack, train your team, hand it over with optional support retainer. Your team operates 24x7 monitoring. Best for: Indian enterprises with existing SOC capability and budget for in-house headcount. Wazuh Managed SOC: we operate the stack on your behalf with 24x7 named analysts. Best for: Indian SMBs without dedicated security headcount, prefer monthly retainer over hiring.
What scale can a single Wazuh deployment handle?
Single Wazuh manager comfortably handles 500-2000 agents plus syslog from typical SMB network infrastructure. Multi-manager cluster scales to 10000+ agents. Indexer scales with storage and log volume (typical SMB needs 1-3 nodes; large enterprise needs 5-10+ nodes). Indian SMBs rarely outgrow single-manager deployment for years. Codesecure designs sizing during scoping with growth headroom for 2-3 years.
Can Wazuh detect modern threats (ransomware, supply chain compromise, AI abuse)?
Yes for ransomware (Wazuh has dedicated ransomware detection ruleset based on file change patterns plus process behaviour). Supply chain compromise detection depends on what telemetry you ingest (endpoint EDR data plus code repository activity plus package manager logs). AI abuse detection is emerging area; Wazuh can ingest LLM application logs and we are building Codesecure custom rules for prompt injection patterns and agent abuse signals. Wazuh keeps pace with threat landscape via active community plus paid Wazuh Cloud premium content where applicable.
Does Wazuh integrate with TheHive, n8n, MISP and Cortex?
Yes, this is the standard Codesecure managed SOC stack. Wazuh alerts feed into TheHive cases via API. TheHive triggers n8n SOAR playbooks for automated response. Cortex provides analyzers for IOC enrichment (VirusTotal, AbuseIPDB, MISP correlation). MISP supplies threat intelligence feeds that Wazuh checks against incoming events. The integrated stack is open source and battle-tested at thousands of organisations.
Get Wazuh-Based Managed SOC for Your Indian SMB
Codesecure runs Managed SOC for Indian SMBs using Wazuh + TheHive + n8n + Cortex + MISP open source stack. 24x7 named India-based analysts, monthly retainer, no licensing fees, ISO/IEC 27001:2022 certified delivery.
