Wazuh production architecture blueprint

Every component, the port it speaks on, the hotel-security job it does, and the checklist to ship it. The one-page map for going live.

Use this The compressed companion to Lesson 12. Grounded in the official Wazuh components and securing-Wazuh docs. Assumes the native package install (Lesson 3).

1 · Component & daemon map

Component / daemon	Side	Job (hotel framing)
wazuh-logcollector	agent	Reads auth / PMS / POS logs and ships them.
wazuh-syscheckd (FIM)	agent	File-tamper detection — swapped POS binary, edited PMS config.
SCA module	agent	CIS hardening score → PCI-DSS evidence per machine.
rootcheck	agent	Rootkit / hidden-process detection.
wazuh-execd	agent	Runs the Active-Response action locally (e.g. firewall-drop).
wazuh-analysisd	manager	Decoders + rules → alerts with a level. The brain.
wazuh-remoted	manager	Receives agent events; pushes Active Response back down.
wazuh-authd	manager	Agent enrolment / key issuance.
wazuh-modulesd	manager	Vulnerability Detection & other manager modules.
wazuh-db	manager	Agent state & inventory store.
wazuh-apid (Wazuh API)	manager	REST API the dashboard & your automation call.
Filebeat	manager	Ships `alerts.json` from manager → indexer.
Wazuh indexer	storage	Stores & searches alerts (`wazuh-alerts-*`), vuln state.
Wazuh dashboard	screen	Triage UI + RBAC / tenant management.

Component / daemon

Side

Job (hotel framing)

wazuh-logcollector

agent

Reads auth / PMS / POS logs and ships them.

wazuh-syscheckd (FIM)

agent

File-tamper detection — swapped POS binary, edited PMS config.

SCA module

agent

CIS hardening score → PCI-DSS evidence per machine.

rootcheck

agent

Rootkit / hidden-process detection.

wazuh-execd

agent

Runs the Active-Response action locally (e.g. firewall-drop).

wazuh-analysisd

manager

Decoders + rules → alerts with a level. The brain.

wazuh-remoted

manager

Receives agent events; pushes Active Response back down.

wazuh-authd

manager

Agent enrolment / key issuance.

wazuh-modulesd

manager

Vulnerability Detection & other manager modules.

wazuh-db

manager

Agent state & inventory store.

wazuh-apid (Wazuh API)

manager

REST API the dashboard & your automation call.

Filebeat

manager

Ships alerts.json from manager → indexer.

Wazuh indexer

storage

Stores & searches alerts (wazuh-alerts-*), vuln state.

Wazuh dashboard

screen

Triage UI + RBAC / tenant management.

2 · Ports to know (and firewall)

Port	Between	Production rule
1514/tcp	agent → manager (events)	Reachable only from hotel agent networks.
1515/tcp	agent → manager (enrolment)	Password-protect (authd); restrict source.
514/udp	firewall/switch → manager (syslog)	Only the agentless devices' subnet.
55000/tcp	dashboard/automation → Wazuh API	Restrict to you & tooling, not public.
9200/tcp	Filebeat/dashboard → indexer	Never public. Localhost / internal only.
443/tcp	browser → dashboard	Proper TLS; the only port analysts need.

Port

Between

Production rule

1514/tcp

agent → manager (events)

Reachable only from hotel agent networks.

1515/tcp

agent → manager (enrolment)

Password-protect (authd); restrict source.

514/udp

firewall/switch → manager (syslog)

Only the agentless devices' subnet.

55000/tcp

dashboard/automation → Wazuh API

Restrict to you & tooling, not public.

9200/tcp

Filebeat/dashboard → indexer

Never public. Localhost / internal only.

443/tcp

browser → dashboard

Proper TLS; the only port analysts need.

3 · Data flow

Agent:1515 enroll → :1514 events

→

Manageranalysisd → alerts.json

→

Filebeat→ indexer :9200

→

Indexerwazuh-alerts-*

→

Dashboard:443 → triage

4 · Key files

Path	What
/var/ossec/etc/ossec.conf	Main config (agent & manager each have one).
/var/ossec/etc/rules/local_rules.xml	Your custom rules (IDs ≥ 100000).
/var/ossec/etc/decoders/local_decoder.xml	Your custom decoders.
/var/ossec/etc/shared/<group>/agent.conf	Per-hotel centralized config (auto-pushed).
/var/ossec/logs/alerts/alerts.json	Alerts the dashboard reads (via Filebeat).
/var/ossec/logs/ossec.log	Daemon health — first stop when something breaks.
/var/ossec/logs/active-responses.log	What Active Response actually did.

Path

What

/var/ossec/etc/ossec.conf

Main config (agent & manager each have one).

/var/ossec/etc/rules/local_rules.xml

Your custom rules (IDs ≥ 100000).

/var/ossec/etc/decoders/local_decoder.xml

Your custom decoders.

/var/ossec/etc/shared/<group>/agent.conf

Per-hotel centralized config (auto-pushed).

/var/ossec/logs/alerts/alerts.json

Alerts the dashboard reads (via Filebeat).

/var/ossec/logs/ossec.log

Daemon health — first stop when something breaks.

/var/ossec/logs/active-responses.log

What Active Response actually did.

5 · Go-live checklist

Identity & trust

Replace self-signed certs with proper TLS.
Rotate all default passwords (admin + internal indexer users).
Enable authd registration password; restrict 1515.

Network

Indexer 9200 firewalled to internal/localhost only.
Expose only 443 (dashboard); scope 55000, 1514/1515.

Data lifecycle

ISM retention policy (e.g. ~90 days) so disks don't fill.
Indexer JVM heap ≈ 50% RAM, under ~32 GB.
Back up /var/ossec/etc + indexer snapshots.

Operate

NTP on every host (correlation depends on clocks).
Agent group + RBAC tenant per hotel before client #2.
Active Response: specific rule IDs, timeout, whitelist your IPs.
Monitor the monitor: disk, manager up, Filebeat lag.