Wazuh Integration With Graylog

Hi everyone!
I am looking for guidance on integrating Wazuh with Graylog. I couldn’t find any official documentation related to this integration, so I wanted to ask here:

  • Is it possible to integrate Wazuh with Graylog?
  • If yes, could you please share any resources, best practices, or your experience on how to do it?
  • Also, on which Wazuh version and Graylog version would the integration work best?

Hi,
first up I am no expert myself.
However i did integrate Wazuh with Graylog and it does work. A good starting point for me was the Medium Page of SOCFortress. However what I do need to say is that even though the integration works perfectly fine, it does break the Wazuh dashboard so you will need a different platform to display your Alerts/Events since Graylog changes all field names (e.g. agent.id to agent_id). I think the SOC “tutorial” from SOCFortress would be a great starting point for you.
Hope that works for you!
Regards

Thank you for the valuable insights.

I’ve noticed that the SOCFortress documentation and integration guidelines appear to follow an older version of the stack. I am currently setting up my environment using the latest versions of Wazuh and Graylog on Ubuntu 24.04 LTS.

My question is:
Can I safely follow the updated integration procedures and configuration practices that align with the latest Wazuh and Graylog versions, rather than relying on the outdated SOCFortress approach?

I would appreciate guidance from you

I understand your concern about the guideline from SOCFortress. I did however follow that guideline using Graylog v.6.1 and Wazuh v.4.11 and some other tools inside my SOC-stack and it works like a charm. But to answer your question: Yes you 100% can integrate GL and Wazuh without using the instructions but as you already mentioned, there is barely any sources to help you doing that so you might still fall back to the guidline since most of it is still acurate.

(Im sorry if I didn’t get everything right, english is not my first language :slight_smile: )

Thank you for the valuable insights.
Now can i integrate Graylog 6.1 v with azuh 4.11 from SOCFortress guideline.
If you have documentation on latest integration please share with me becasue i have need it.