Wazuh 4.14 Integrations - External System Connectors
Wazuh 4.14 supports integration with a wide range of external security, monitoring, and incident management systems. Integrations enable forwarding alerts to third-party platforms, enriching events with threat intelligence data, and automating response workflows through SOAR solutions.
Integration Types
The platform provides several mechanisms for connecting external systems, each suited to specific use cases.
Built-in Integrations (integratord)
Wazuh ships with the wazuh-integratord daemon that processes alerts and forwards them to external systems. The following platforms are supported out of the box:
- Slack - alert notifications to channels
- PagerDuty - critical incident escalation
- VirusTotal - file hash and URL lookups
- Shuffle - orchestration through a SOAR platform
- TheHive - incident and case management
Detailed configuration of built-in integrations is covered in the SIEM Integrations and Built-in Connectors section.
API and Webhook Integrations
For systems without native support, Wazuh provides custom integration capabilities through:
- Custom webhooks - arbitrary HTTP calls triggered by alerts
- Syslog forwarding - event forwarding to other SIEM platforms
- REST API - programmatic access to Wazuh data for building custom connectors
Third-Party Integrations
Wazuh integrates with the broader security tooling ecosystem through specialized modules and APIs:
- Osquery - extended endpoint data collection
- MISP / OpenCTI - indicator of compromise sharing
- Jira / ServiceNow - automated ticket creation
- Shuffle / Cortex XSOAR - SOAR automation
A detailed guide to third-party integrations is available in the Third-Party Integrations section.
Integration Architecture
All Wazuh integrations follow one of three patterns:
| Pattern | Mechanism | Examples |
|---|---|---|
| Push (integratord) | Daemon forwards the alert to an external system | Slack, PagerDuty, VirusTotal |
| Pull (API) | External system polls data from Wazuh | Splunk app, ELK connector |
| Bidirectional | Two-way data exchange | Shuffle, Cortex XSOAR |
The wazuh-integratord daemon runs on the Wazuh Manager server and processes alerts in real time. When a rule matching the integration filter fires, the daemon constructs a JSON payload and sends it to the configured endpoint.
Choosing an Integration Strategy
When planning integrations, consider the following factors:
- Alert volume - for high-throughput environments, filter by severity level (
level) or rule group (group) - Reliability - syslog forwarding provides buffering, whereas webhook calls may be lost if the receiver is unavailable
- Latency - integratord adds minimal delay (under 1 second); API polling latency depends on the polling interval
- Security - API keys and tokens are stored in the
ossec.confconfiguration and must be protected with appropriate file permissions
For building a comprehensive security architecture, combining multiple integration types is recommended. A typical setup includes forwarding all alerts to a centralized SIEM via syslog, sending critical events to Slack or PagerDuty, and automatically creating tickets through a SOAR platform.
For guidance on building your own integrations, refer to the Custom Integration Development section.