FreeBSD.software
Home/Guides/Wazuh Agent on FreeBSD: Security Monitoring Review
review·2026-04-09·9 min read

Wazuh Agent on FreeBSD: Security Monitoring Review

In-depth review of Wazuh agent on FreeBSD: SIEM overview, agent installation, file integrity monitoring, log analysis, rootcheck, vulnerability detection, and comparison with OSSEC.

Wazuh Agent on FreeBSD: Security Monitoring Review

Wazuh is an open-source security monitoring platform that provides intrusion detection, file integrity monitoring, log analysis, vulnerability detection, and compliance auditing. It evolved from OSSEC -- the venerable host-based intrusion detection system -- and has grown into a full SIEM (Security Information and Event Management) platform with a centralized manager, a RESTful API, and a Kibana-based dashboard. On FreeBSD, the Wazuh agent monitors the local system and reports events to the Wazuh manager for correlation, alerting, and visualization. This review covers Wazuh's architecture, FreeBSD agent installation and configuration, file integrity monitoring (FIM), log analysis, rootcheck, vulnerability detection, and how it compares with OSSEC and other security monitoring tools.

What Wazuh Does

Wazuh operates in a client-server model. The Wazuh manager (server) receives data from agents, correlates events, generates alerts, and stores data in an indexer (OpenSearch or Elasticsearch). The Wazuh agent runs on each monitored system and collects security-relevant data.

Core capabilities:

  • File Integrity Monitoring (FIM) -- detect changes to files, directories, permissions, and ownership. Alerts when critical system files are modified, added, or deleted.
  • Log analysis -- collect and analyze system logs, application logs, and security logs. Built-in decoders for syslog, Apache, Nginx, PostgreSQL, SSH, sudo, and hundreds of other log formats.
  • Rootcheck -- scan for rootkits, trojans, and system anomalies. Checks for hidden processes, hidden ports, and known rootkit signatures.
  • Vulnerability detection -- compare installed software versions against CVE databases to identify known vulnerabilities.
  • Compliance monitoring -- map security events to compliance frameworks (PCI DSS, HIPAA, GDPR, CIS benchmarks).
  • Active response -- automatically execute countermeasures when specific alerts trigger (block an IP, kill a process, disable a user account).
  • System inventory -- collect hardware, software, network interface, and open port information from agents.
  • Security Configuration Assessment (SCA) -- evaluate system configuration against security benchmarks and report deviations.

Wazuh is not a network intrusion detection system (NIDS). It does not inspect network traffic. For network-level detection, pair it with Suricata or Snort. Wazuh focuses on host-level security monitoring.

Architecture Overview

A Wazuh deployment consists of three components:

  1. Wazuh Manager -- the central server that receives agent data, runs the analysis engine, and generates alerts. Typically runs on a dedicated Linux server (FreeBSD manager support is limited).
  2. Wazuh Indexer -- an OpenSearch or Elasticsearch cluster that stores alerts, events, and agent data for search and visualization.
  3. Wazuh Dashboard -- a web interface (based on OpenSearch Dashboards) for viewing alerts, managing agents, and creating visualizations.

The FreeBSD agent connects to the Wazuh manager over TCP (port 1514, encrypted). The agent sends logs, FIM events, rootcheck results, and system inventory data. The manager processes these and generates alerts.

For small deployments (under 50 agents), all three server components can run on a single machine. Larger deployments distribute them across dedicated servers for performance.

Agent Installation on FreeBSD

The Wazuh agent is available for FreeBSD through packages and manual compilation.

Package Installation

sh
pkg install wazuh-agent

If the package is not available in the default repository, build from source:

Source Installation

sh
pkg install git gmake gcc
cd /usr/local/src
git clone https://github.com/wazuh/wazuh.git -b v4.9.0
cd wazuh/src
gmake TARGET=agent
cd ..
./install.sh

During installation, select "agent" mode, enter the Wazuh manager's IP address, and accept the defaults.

Register the Agent

Register with the manager using the agent authentication daemon:

sh
/var/ossec/bin/agent-auth -m manager_ip_address

Or register via the Wazuh API from the manager side:

sh
curl -k -X POST -d '{"name":"freebsd-server","ip":"192.168.1.50"}' \
    -H 'Authorization: Bearer TOKEN' \
    "https://manager_ip:55000/agents"

Configure the Agent

Edit /var/ossec/etc/ossec.conf:

sh
<ossec_config>
  <client>
    <server>
      <address>manager_ip_address</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
  </client>

  <syscheck>
    <frequency>43200</frequency>
    <directories check_all="yes" realtime="yes">/etc,/usr/local/etc</directories>
    <directories check_all="yes">/usr/local/bin,/usr/local/sbin</directories>
    <directories check_all="yes">/boot</directories>
    <ignore>/etc/motd</ignore>
    <ignore>/etc/random-seed</ignore>
  </syscheck>

  <rootcheck>
    <disabled>no</disabled>
    <frequency>43200</frequency>
  </rootcheck>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/security</location>
  </localfile>
</ossec_config>

Start the Agent

sh
sysrc wazuh_agent_enable="YES"
service wazuh-agent start

Verify the agent is connected:

sh
/var/ossec/bin/wazuh-control status

All processes should show as "running." On the manager, verify the agent appears:

sh
/var/ossec/bin/agent_control -l

File Integrity Monitoring (FIM)

FIM is Wazuh's most valuable feature for FreeBSD servers. It detects unauthorized changes to system files, configuration files, and binaries.

Configuration

The section controls FIM behavior:

sh
<syscheck>
  <frequency>43200</frequency>

  <!-- Critical FreeBSD directories -->
  <directories check_all="yes" realtime="yes">/etc</directories>
  <directories check_all="yes" realtime="yes">/usr/local/etc</directories>
  <directories check_all="yes">/boot/kernel</directories>
  <directories check_all="yes">/usr/local/bin</directories>
  <directories check_all="yes">/usr/local/sbin</directories>
  <directories check_all="yes">/usr/bin</directories>
  <directories check_all="yes">/usr/sbin</directories>

  <!-- Ignore frequently changing files -->
  <ignore>/etc/resolv.conf</ignore>
  <ignore>/etc/hosts</ignore>
  <ignore type="sregex">/etc/.*\.db$</ignore>
  <ignore>/usr/local/etc/pkg/repos</ignore>

  <!-- Report file changes with diff -->
  <nodiff>/etc/master.passwd</nodiff>
  <nodiff>/etc/shadow</nodiff>
</syscheck>

The realtime="yes" attribute enables inotify-style monitoring (where supported) for near-instant change detection. The tag prevents Wazuh from storing the content of sensitive files in change reports.

What FIM Detects

  • New files added to monitored directories (potential backdoor installation).
  • Modified files (configuration tampering, binary replacement).
  • Deleted files (evidence destruction).
  • Permission changes (privilege escalation preparation).
  • Ownership changes (unauthorized access modification).
  • Content changes with before/after diffs (what exactly changed).

FreeBSD-Specific Paths to Monitor

For a FreeBSD server, these paths are critical:

  • /etc/ -- system configuration (rc.conf, sysctl.conf, login.conf, pf.conf).
  • /usr/local/etc/ -- application configuration (nginx, postfix, redis, etc.).
  • /boot/kernel/ -- kernel modules. Unauthorized kernel module changes indicate rootkit activity.
  • /usr/local/bin/, /usr/local/sbin/ -- application binaries.
  • /root/ -- root user's home directory, including .ssh/authorized_keys.

Log Analysis

Wazuh's log analysis engine parses system and application logs using decoders and rules.

FreeBSD Log Sources

Add these to /var/ossec/etc/ossec.conf:

sh
<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/messages</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/auth.log</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/security</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/maillog</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/httpd-access.log</location>
</localfile>

<localfile>
  <log_format>json</log_format>
  <location>/var/log/caddy/access.log</location>
</localfile>

What Log Analysis Detects

Built-in rules detect:

  • SSH brute force attempts (multiple failed logins from the same source).
  • Successful root login (should be rare and audited).
  • Sudo privilege escalation.
  • User account creation and modification.
  • Service start/stop events.
  • PF firewall blocks.
  • Application errors and anomalies.

Custom Rules

Create custom rules for FreeBSD-specific events in /var/ossec/etc/rules/local_rules.xml:

sh
<group name="freebsd,custom">
  <rule id="100001" level="10">
    <if_sid>5501</if_sid>
    <match>pf: block</match>
    <description>PF firewall blocked connection</description>
  </rule>

  <rule id="100002" level="12">
    <decoded_as>syslog</decoded_as>
    <match>kernel: pid .* was killed</match>
    <description>Process killed by FreeBSD kernel (OOM or security)</description>
  </rule>
</group>

Rootcheck

Rootcheck scans for rootkits, trojans, and system anomalies:

sh
<rootcheck>
  <disabled>no</disabled>
  <frequency>43200</frequency>
  <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  <system_audit>/var/ossec/etc/shared/cis_freebsd_rcl.txt</system_audit>
</rootcheck>

Rootcheck performs:

  • Rootkit file detection -- checks for files known to be installed by common rootkits.
  • Rootkit trojan detection -- compares system binaries against known trojan signatures.
  • Hidden process detection -- compares the process list from ps with /proc to find hidden processes.
  • Hidden port detection -- compares netstat output with raw socket scanning to find hidden listening ports.
  • File anomaly detection -- finds SUID/SGID files, world-writable files, and files with unusual permissions.

Vulnerability Detection

Wazuh compares installed software versions against CVE databases:

sh
<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>12h</interval>
  <run_on_start>yes</run_on_start>
  <provider name="nvd">
    <enabled>yes</enabled>
  </provider>
</vulnerability-detector>

On FreeBSD, Wazuh collects the list of installed packages via pkg info and cross-references with the NVD (National Vulnerability Database). This identifies packages with known CVEs that need patching.

Active Response

Wazuh can automatically respond to threats. A common example is blocking an IP after multiple failed SSH attempts:

sh
<active-response>
  <command>pf-block</command>
  <location>local</location>
  <rules_id>5712</rules_id>
  <timeout>3600</timeout>
</active-response>

Create the PF blocking script at /var/ossec/active-response/bin/pf-block.sh:

sh
#!/bin/sh
ACTION=$1
IP=$3

if [ "$ACTION" = "add" ]; then
    pfctl -t wazuh_blocked -T add "$IP"
elif [ "$ACTION" = "delete" ]; then
    pfctl -t wazuh_blocked -T delete "$IP"
fi

Add a PF rule to block the table:

sh
table <wazuh_blocked> persist
block quick from <wazuh_blocked>

This automatically blocks IPs that trigger SSH brute force alerts for one hour, then unblocks them.

Wazuh vs OSSEC

Wazuh forked from OSSEC in 2015. The differences are now significant:

  • Active development -- Wazuh has a full-time development team and regular releases. OSSEC development has slowed considerably.
  • Dashboard -- Wazuh provides a web dashboard (OpenSearch Dashboards-based). OSSEC requires third-party tools for visualization.
  • API -- Wazuh has a RESTful API for agent management, rule management, and alert queries. OSSEC has no API.
  • Vulnerability detection -- Wazuh includes CVE scanning. OSSEC does not.
  • SCA -- Wazuh includes Security Configuration Assessment. OSSEC has basic policy monitoring but nothing comparable.
  • Agent management -- Wazuh supports centralized agent configuration, remote upgrades, and group-based policies. OSSEC's agent management is minimal.

OSSEC is still suitable for simple FIM and log analysis on a single server. For any deployment beyond that, Wazuh is the clear successor.

Verdict

Wazuh is the most comprehensive open-source security monitoring platform available for FreeBSD. The agent provides file integrity monitoring, log analysis, rootkit detection, and vulnerability scanning, while the centralized manager enables correlation, alerting, and compliance reporting across an entire fleet. On FreeBSD, the agent monitors system-specific paths, parses FreeBSD log formats, and integrates with PF for active response.

The main limitation for FreeBSD is that the Wazuh manager and indexer are best run on Linux. The agent runs well on FreeBSD, but the server-side components have stronger Linux support. For a mixed environment -- Linux managers monitoring FreeBSD agents -- Wazuh is an excellent fit.

Frequently Asked Questions

Can I run the Wazuh manager on FreeBSD?

The manager can be compiled on FreeBSD, but official support and documentation focus on Linux (Ubuntu, CentOS, Amazon Linux). For production, run the manager on Linux and deploy agents on FreeBSD.

Does Wazuh work in FreeBSD jails?

The agent runs in jails. FIM, log analysis, and rootcheck function normally. Some rootcheck tests (hidden process detection) may produce different results in jailed environments due to restricted /proc visibility.

How much disk space does the Wazuh agent use?

The agent itself uses roughly 100 MB. Log storage depends on your log volume. The agent forwards logs to the manager, so local storage is primarily for the agent binary, configuration, and queue.

Can Wazuh replace fail2ban on FreeBSD?

Yes. Wazuh's active response can block IPs based on brute force detection, similar to fail2ban. The advantage is centralized management and correlation -- Wazuh can block an IP across all agents simultaneously, while fail2ban operates per-host.

How do I update the Wazuh agent on FreeBSD?

If installed via pkg: pkg upgrade wazuh-agent. If installed from source, pull the new release, compile, and run the installer. The manager can also push remote upgrades to agents.

Does Wazuh detect FreeBSD-specific vulnerabilities?

Wazuh's vulnerability detector uses the NVD database, which includes FreeBSD advisories (FreeBSD-SA and FreeBSD-EN). It identifies vulnerable packages based on version comparison with CVE entries.

Get more FreeBSD guides

Weekly tutorials, security advisories, and package updates. No spam.

Previous

How to Back Up FreeBSD Servers to Backblaze B2

Next

HashiCorp Vault on FreeBSD: Secrets Management Review

Related Guides

review

ClamAV on FreeBSD: Open Source Antivirus Review

Review of ClamAV on FreeBSD: installation, freshclam updates, clamd daemon, mail server integration, on-access scanning, and performance impact.

review

IPFW on FreeBSD: Firewall Review

In-depth review of IPFW on FreeBSD: rule syntax, stateful filtering, dummynet traffic shaping, NAT, in-kernel processing, and comparison with PF and IPFilter.

review

Nmap on FreeBSD: Network Scanner Review

Review of Nmap on FreeBSD: host discovery, port scanning, service detection, OS fingerprinting, NSE scripts, and practical security audit workflows.

review

OpenSSH on FreeBSD: Secure Shell Review

In-depth review of OpenSSH on FreeBSD: base system integration, configuration hardening, certificates, jump hosts, agent forwarding, FIDO2 keys, and security best practices.