Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Wazuh Alerts | ✅ | ✅ | wazuh_alerts | Key Value | S3 | ||
Wazuh Server Windows Logs | ✅ | wazuh_server_windows_logs | json | S3 | |||
Wazuh Server Linux Logs | wazuh_server_linux_logs | json | S3 | ||||
Wazuh Server Firewall Logs | ✅ | wazuh_server_firewall_logs | json | S3 |
Overview
Wazuh is an open-source security monitoring platform that provides log data analysis, intrusion detection, and compliance management. It helps organizations detect, analyze, and respond to security threats in real-time by collecting and processing security events from various sources, including servers, network devices, and cloud environments. Wazuh offers features like file integrity monitoring, vulnerability detection, and centralized log management, helping security teams ensure compliance with industry standards and strengthen overall security posture. It integrates with other security tools, like SIEM systems, to provide a comprehensive view of an organization’s security landscape.
Supported data types
Wazuh Alerts
Table name: wazuh_alerts
Wazuh Alert logs are essential components of the platform, offering detailed records of security alerts generated by various detection mechanisms, including log analysis, anomaly detection, and threat intelligence integration. These logs contain information about potential security incidents, including the type of alert, affected system or resource, severity level, timestamp, and relevant contextual data.
Wazuh Server Firewall Logs
Table name: wazuh_server_firewall_logs
Wazuh Server Firewall logs capture network traffic events from firewall devices integrated with Wazuh. They include source and destination IPs and ports, actions (allow/deny/start), firewall policies, session IDs, protocols, interfaces, geographic data, and device identifiers. These logs help monitor network activity, detect blocked connections, and analyze firewall policy effectiveness.
Wazuh Server Linux Logs
Table name: wazuh_server_linux_logs
Wazuh Server Linux logs collect system events from Linux endpoints monitored by Wazuh agents. They include kernel messages, syscollector process events, system calls, authentication events, and application logs. Fields include process details (PID, name, command), user and group information, system resource usage, and event timestamps. These logs support system monitoring, process tracking, and security analysis on Linux systems.
Wazuh Server Windows Logs
Table name: wazuh_server_windows_logs
Wazuh Server Windows logs capture Windows Event Log data from Windows endpoints monitored by Wazuh agents. They include security events (logons, authentication, privilege changes), system events, application events, and audit events. Fields include event IDs, user accounts, domains, logon types, process information, and detailed event messages. These logs help track Windows security events, user activity, and compliance monitoring.
Send data to Hunters
Hunters supports the ingestion of Wazuh logs via an intermediary AWS S3 bucket.
To connect Wazuh logs:
Export your from Wazuh to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Wazuh Alerts
Hunters supports the ingestion of Wazuh Alerts in a key-value format, which you can connect on your own using the Hunters platform.
In addition, Hunters can ingest Wazuh logs in JSON format using a manual configuration process. To use this option, open an Onboard Supported Integration ticket from the Hunters Support Portal.
🚧 Note
Since this is a complex data source, make sure to adhere to the following:
Every new log must start with '**'.
Every pair of key and value must have an ':' between them and must appear in a new line (see the example below).
Key-value example
** Alert 1679319621.1291172505: - fortigate,syslog,
2017 Feb 14 12:19:06 localhost->/var/log/secure
Rule: 81633 (level 3) -> 'Fortigate: App passed by firewall.'
Src IP: 1.1.1.1
Src Port: 37392
Dst IP: 2.2.2.2
Dst Port: 443
Mar 20 13:40:20 10.17.2.68 date=2023-03-20 time=13:40:20 devname="device-name" devid="device-name" eventtime=1679319620487989456 tz="+0000" logid="1111" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=47013 srcip=1.1.1.1 dstip=2.2.2.2 srcport=37392 dstport=443 srcintf="port4" srcintfrole="dmz" dstintf="port1" dstintfrole="wan" proto=6 service="SSL" direction="incoming" policyid=41 sessionid=4444 applist="default" action="pass" appcat="Network.Service" app="SSL_TLSv1.3" hostname="www.host.de" incidentserialno=5555 url="/" msg="Network.Service: SSL_TLSv1.3," apprisk="medium" device="AWS-FW"
app: SSL_TLSv1.3
appcat: Network.Service
appid: 47013
applist: default
apprisk: medium
cat: Network.Service
direction: incoming
dstintf: port1
dstintfrole: wan
eventtime: 1679319620487989456
eventtype: signature
hostname: www.host.de
incidentserialno: 5555
ip: 1.1.1.1
level: information
logid: 1111
msg: Network.Service: SSL_TLSv1.3,
policyid: 41
proto: 6
service: SSL
sessionid: 4444
srcintf: port4
srcintfrole: dmz
subtype: app-ctrl
time: 13:40:20
type: utm
vd: root
JSON example
{
"agent": {
"id": "18559",
"ip": "1.2.3.4",
"name": "test-prod-01"
},
"cluster": {
"name": "wazuh",
"node": "wazuh-manager"
},
"data": {
"dstuser": "root"
},
"decoder": {
"name": "pam",
"parent": "pam"
},
"full_log": "Jun 12 23:59:58 test-prod-01 sudo: pam_unix(sudo:session): session closed for user root",
"id": "1718236799.207892585",
"location": "/var/log/auth.log",
"manager": {
"name": "wazuh-manager"
},
"predecoder": {
"hostname": "test-prod-01",
"program_name": "sudo",
"timestamp": "Jun 12 23:59:58"
},
"rule": {
"description": "PAM: Login session closed.",
"firedtimes": 1623,
"gdpr": [
"IV_32.2"
],
"gpg13": [
"7.8",
"7.9"
],
"groups": [
"pam",
"syslog"
],
"hipaa": [
"1.2.b"
],
"id": "5502",
"level": 3,
"mail": false,
"nist_800_53": [
"AU.14",
"AC.7"
],
"pci_dss": [
"10.2.5"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
]
},
"timestamp": "2024-06-12T23:59:59.344+0000"
}
Windows Server logs:
{"timestamp":"2025-12-30T00:00:22.049+0000","rule":{"level":3,"description":"Windows audit success event.","id":"60103","firedtimes":1424,"mail":false,"groups":["windows","windows_security"]},"agent":{"id":"004","name":"windows-host-02.example.com","ip":"192.168.1.31"},"manager":{"name":"wazuh-manager-01.example.com"},"id":"1767052822.7426902","cluster":{"name":"cluster-prod","node":"wazuh-manager-01"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{12345678-1234-1234-1234-123456789012}\",\"eventID\":\"5061\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2025-12-29T23:59:03.585940500Z\",\"eventRecordID\":\"1000000002\",\"processID\":\"704\",\"threadID\":\"4780\",\"channel\":\"Security\",\"computer\":\"windows-host-02.example.com\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"Cryptographic operation.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tWINDOWS-HOST-02$\\r\\n\\tAccount Domain:\\t\\tEXAMPLE\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nCryptographic Parameters:\\r\\n\\tProvider Name:\\tMicrosoft Software Key Storage Provider\\r\\n\\tAlgorithm Name:\\tRSA\\r\\n\\tKey Name:\\taaaa1111-bbbb-2222-cccc-333333333333\\r\\n\\tKey Type:\\tMachine key.\\r\\n\\r\\nCryptographic Operation:\\r\\n\\tOperation:\\tOpen Key.\\r\\n\\tReturn Code:\\t0x0\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-5-18\",\"subjectUserName\":\"WINDOWS-HOST-02$\",\"subjectDomainName\":\"EXAMPLE\",\"subjectLogonId\":\"0x3e7\",\"providerName\":\"Microsoft Software Key Storage Provider\",\"algorithmName\":\"RSA\",\"keyName\":\"aaaa1111-bbbb-2222-cccc-333333333333\",\"keyType\":\"%%2499\",\"operation\":\"%%2480\",\"returnCode\":\"0x0\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{12345678-1234-1234-1234-123456789012}","eventID":"5061","version":"0","level":"0","task":"12290","opcode":"0","keywords":"0x8020000000000000","systemTime":"2025-12-29T23:59:03.585940500Z","eventRecordID":"1000000002","processID":"704","threadID":"4780","channel":"Security","computer":"windows-host-02.example.com","severityValue":"AUDIT_SUCCESS","message":"\"Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS-HOST-02$\r\n\tAccount Domain:\t\tEXAMPLE\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\taaaa1111-bbbb-2222-cccc-333333333333\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS-HOST-02$","subjectDomainName":"EXAMPLE","subjectLogonId":"0x3e7","providerName":"Microsoft Software Key Storage Provider","algorithmName":"RSA","keyName":"aaaa1111-bbbb-2222-cccc-333333333333","keyType":"%%2499","operation":"%%2480","returnCode":"0x0"}}},"location":"EventChannel","log_type":"windows"}Linux Server logs:
{"timestamp":"2025-12-30T23:59:59.988+0000","agent":{"id":"001","name":"linux-host-01.example.com","ip":"192.168.1.20"},"manager":{"name":"wazuh-manager-01.example.com"},"id":"1767139199.1520203630","cluster":{"name":"cluster-prod","node":"wazuh-manager-01"},"full_log":"Dec 30 23:59:59 linux-server-01 kernel: connection5:0: detected conn error (1020)","predecoder":{"program_name":"kernel","timestamp":"Dec 30 23:59:59","hostname":"linux-server-01"},"decoder":{"name":"kernel"},"location":"/var/log/messages","log_type":"linux"}Firewall Server logs:
{"timestamp":"2025-12-31T00:00:01.645-0500","agent":{"id":"000","name":"wazuh-manager-01.example.com"},"manager":{"name":"wazuh-manager-01.example.com"},"id":"1767157201.0","cluster":{"name":"cluster-prod","node":"wazuh-manager-01"},"full_log":"Dec 30 23:59:59 192.168.1.10 date=2025-12-30 time=20:59:59 devname=\"firewall-device-01\" devid=\"DEVICE123456789\" eventtime=1767157199085998951 tz=\"-0800\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=192.168.1.100 srcport=39830 srcintf=\"port3\" srcintfrole=\"undefined\" dstip=203.0.113.1 dstport=443 dstintf=\"port2\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"United States\" sessionid=1234567890 proto=6 action=\"deny\" policyid=47 policytype=\"policy\" poluuid=\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\" policyname=\"Inside-to-Outside-Attack-DENY\" service=\"HTTPS\" trandisp=\"noop\" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat=\"unscanned\" crscore=30 craction=131072 crlevel=\"high\"","predecoder":{"timestamp":"Dec 30 23:59:59","hostname":"192.168.1.10"},"decoder":{"name":"fortigate-firewall-v5"},"data":{"action":"deny","srcip":"192.168.1.100","srcport":"39830","dstip":"203.0.113.1","dstport":"443","appcat":"unscanned","craction":"131072","crlevel":"high","crscore":"30","devid":"DEVICE123456789","devname":"firewall-device-01","dstcountry":"United States","dstintf":"port2","dstintfrole":"undefined","duration":"0","eventtime":"1767157199085998951","level":"notice","logid":"0000000013","policyid":"47","poluuid":"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee","proto":"6","rcvdbyte":"0","sentbyte":"0","sentpkt":"0","service":"HTTPS","sessionid":"1234567890","srccountry":"Reserved","srcintf":"port3","srcintfrole":"undefined","subtype":"forward","time":"20:59:59","trandisp":"noop","type":"traffic","vd":"root"},"location":"/var/log/wazuh-syslog/192.168.1.10.log"}