Hi everyone!
I am looking for guidance on integrating Wazuh with Graylog. I couldn’t find any official documentation related to this integration, so I wanted to ask here:
Hi,
first up I am no expert myself.
However i did integrate Wazuh with Graylog and it does work. A good starting point for me was the Medium Page of SOCFortress. However what I do need to say is that even though the integration works perfectly fine, it does break the Wazuh dashboard so you will need a different platform to display your Alerts/Events since Graylog changes all field names (e.g. agent.id to agent_id). I think the SOC “tutorial” from SOCFortress would be a great starting point for you.
Hope that works for you!
Regards
Thank you for the valuable insights.
I’ve noticed that the SOCFortress documentation and integration guidelines appear to follow an older version of the stack. I am currently setting up my environment using the latest versions of Wazuh and Graylog on Ubuntu 24.04 LTS.
My question is:
Can I safely follow the updated integration procedures and configuration practices that align with the latest Wazuh and Graylog versions, rather than relying on the outdated SOCFortress approach?
I would appreciate guidance from you
I understand your concern about the guideline from SOCFortress. I did however follow that guideline using Graylog v.6.1 and Wazuh v.4.11 and some other tools inside my SOC-stack and it works like a charm. But to answer your question: Yes you 100% can integrate GL and Wazuh without using the instructions but as you already mentioned, there is barely any sources to help you doing that so you might still fall back to the guidline since most of it is still acurate.
(Im sorry if I didn’t get everything right, english is not my first language 
)
Thank you for the valuable insights.
Now can i integrate Graylog 6.1 v with azuh 4.11 from SOCFortress guideline.
If you have documentation on latest integration please share with me becasue i have need it.
There are issues when using Wazu and Gralyog with the same Elastic-/Opensearch Cluster.
Wazuh uses “.” as a Delimiter in field names and Gralog uses _ and the elastic cluster will just replace all the “.” with _. That results in all the prebuilt dashboards and views in wazuh-manager don’t displaying any data.
So its not realy usable that way.
As long as you don’t mind the increased storage and compute requirenments, you can run seperate Elastic Clusters for Wazuh and Graylog.
You can use the SOCfortress Guide: Installing the New Wazuh version 4.4 — The SOCFortress Way | by SOCFortress | Medium
You can basically Ignore step 3 Graylog and “just” do a dedicated Graylog installation following the official Graylog documentation.
Then you add an additional output to the Graylog in addition to the output to the local wazuh-indexer.
You could also try the complete opensource SIEM thing SOCFortress built and check if that fits your requirements: GitHub - socfortress/CoPilot: SOCFortress CoPilot
