The FreeBSD Project

Wazuh on FreeBSD

Contact: José Alonso Cárdenas Márquez <acm@FreeBSD.org>
Contact: Jesús Daniel Colmenares Oviedo <dtxdf@FreeBSD.org>

Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.

Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Besides, Wazuh has been fully integrated with the Elastic Stack or OpenSearch Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts.

A lot has happened this quarter. Numerous improvements and bug fixes to enhance FreeBSD’s support with this excellent XDR/SIEM and security platform.

We have created a repository on GitHub to centralize the work and reduce patches in the manager and the agent. Links: Repository, b1f5298
Python bundle has been updated to 3.11.15. Link: c941e5b
An issue that prevented wazuh-manager from starting when the MYSQL option was enabled has been fixed. Link: c941e5b
A parsing issue in sysinfo’s getPorts() function has been fixed. Link: 35fcd6a
Support for FreeBSD has been added to asyncinotify library that prevents Wazuh API starting correctly. Link: 35fcd6a
Now Wazuh uses OpenSearch Dashboards 2.19.4. Link: b1f5298
sysinfo module can now obtain users and groups information. Link: e9cebac
An issue between the agent and the manager that prevented a successful active state for TCP connections has been fixed, and now this protocol is the default instead of UDP. Link: 055d5c9, 508a8c8
FreeBSD SCA, decoders and rules files were updated, fixing conflict issues. Links: 055d5c9, 508a8c8
A problem with Python scripts in the manager prevented their correct execution when the CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment variable is not set. Link: 8bd6c77
The sysinfo’s getSerialNumber() function has been improved, so the manager and the agent can now use the kern.hostuuid sysctl to uniquely identify devices. Link: 284813e
An issue in wazuh-modulesd has been fixed that caused a SIGSEGV while decompressing the vulnerability detection database and accesses to an unitialized structure. Link: d3c13b6
An issue in the agent has been fixed that caused a "permission error" due to an incorrect owner in the etc/clients.keys file. Link: c74ab75
security/wazuh-server switched from beats7 to beats8. Link: ce6831e
Fixed a segmentation fault in wazuh-modulesd when pkg(8) is not installed on the system and sysinfo’s getPackages() function is trying to obtain information about installed packages. Now this function has been reimplemented to use SQLite. Link: ff95715, a4242bf
Apply dos2unix(1) to Wazuh API’s api.yaml file. Link: a4242bf
An issue with wazuh-apid has been fixed that prevents it to start correctly, marking itself as DOWN, when security.bsd.see_other_{u,g}ids is set to 0. Link: c86d3fc
A page has been created on the FreeBSD wiki to centralize the work we have done and what remains to be done. Link: Wiki

Makejails for Wazuh has been improved and now mimics the official Dockerfiles, so users familiar with it can easily deploy all Wazuh components using AppJail and Director:

This also adds cluster-mode infrastructure for Makejails.

Vulnerability detection is not yet implemented in FreeBSD, but Serpico has been developed to address this deficiency. Serpico is a security scanner for FreeBSD packages and releases that compares versions against a list of versions marked as vulnerable and displays vulnerability information in a compact JSON format for easy analysis with other security tools. The package includes rules for Wazuh and a dashboard that can be easily installed via the web-UI or the OpenSearch Dashboards API.

Current version: 4.14.3

Last modified on: April 10, 2026 by Jesús Daniel Colmenares Oviedo