Automate Your Wazuh Alert Enhancement Process
My mission is to empower organizations and professionals to build secure, resilient, and compliant digital ecosystems. Through thought leadership in security operations, architecture, compliance, and advisory, this blog serves as a trusted platform to illuminate best practices, share strategic insights, and advance the maturity of modern information systems!
Introduction
While building a multitenant SOC architecture using Wazuh and OpenSearch, I quickly ran into a critical issue:
Wazuh alerts do not include the agent group(s) by default.
In a setup where each client is represented by a group of agents, this missing field becomes a major obstacle for filtering, visualizing, and correlating events effectively.
This post walks through the entire process I followed to solve this limitation by creating a smart ingestion pipeline that enriches alerts with the agent_group field.
Technical Architecture
Here are the key components of the system:
Wazuh Manager: collects and analyzes security events
Filebeat: lightweight forwarder that ships alerts to OpenSearch
OpenSearch: search and analytics engine
OpenSearch Dashboards: visualization interface
Ingest Pipeline: custom pipeline to enrich incoming documents
At the end to implement our pipeline, in the logic architecture view we can have something like this :
Initial Problem
Wazuh alerts include fields like agent.id and agent.name, but not agent.group.name, even when agents are assigned to groups in the Wazuh Manager.
This makes it impossible to:
Filter alerts by client in Discover
Build multitenant dashboards
Automate alerting per group
Resolution Steps
1. Inspecting the Data
I started by querying OpenSearch:
GET wazuh-alerts-*/_search
{
"size": 1,
"_source": ["agent.id", "agent.name", "agent.group.name"]
}
Result: agent.group.name was missing.
2. Attempts on the Wazuh Side
I tried assigning agents to groups:
/var/ossec/bin/agent_groups -a -i 001 -g clientA
/var/ossec/bin/agent_control -i 001
Then modified ossec.conf:
<agent_info>yes</agent_info>
Restarted the manager:
sudo systemctl restart wazuh-manager
Still, the field didn’t appear in the alerts.
3. Solution: Manual Enrichment via Filebeat
I added a conditional enrichment block in filebeat.yml:
processors:
- add_fields:
when:
equals:
agent.name: "clientA-agent"
fields:
agent_group: "clientA"
target: ""
This adds the agent_group field to each matching document.
We can then have something like the following screenshot during the configuration :
4. Testing and Validation
Now we have to restart Filebeat by executing the following command:
sudo systemctl restart filebeat
Triggered an alert on the agent.
We can now check in Discover: agent_group was present and correctly populated.
5. Reindexing Historical Data
To enrich past alerts:
POST _reindex
{
"source": {
"index": "wazuh-alerts-2025.06.18"
},
"dest": {
"index": "wazuh-alerts-2025.06.18-reindexed",
"pipeline": "add-agent-group"
}
}
6. Visualization in OpenSearch Dashboards
Created a new index pattern for the reindexed data
Verified
agent_groupin DiscoverBuilt dashboards with filters by group
You can notice tis beautiful enrichement on the following screenshot of my home lab after completing the implementation of my pipelines:
Final Outcome
Thanks to this pipeline:
Alerts are automatically enriched with agent group data
Client-based filtering and visualization is now possible
The SOC can operate in true multitenant mode
Future Improvements
This pipeline can be extended to:
Handle hundreds of agents
Use external mapping files (JSON, YAML)
Apply advanced enrichment via OpenSearch scripting (Painless)
Conclusion
This project turned a technical limitation into an architectural opportunity.
By mastering data ingestion and enrichment, I made Wazuh + OpenSearch truly multitenant — ready for SOC-as-a-Service.
Data means nothing without context.
And context is what we build.
Follow me for more posts on cybersecurity, SOC engineering, and DevSecOps automation!
Here is my linkedin post related to this article —> https://www.linkedin.com/posts/yves-stanislas-adani_wazuh-socasaservice-multitenancy-activity-7341279532831674368-Y0T5?utm_source=share&utm_medium=member_desktop&rcm=ACoAADlkl3EB5_DFg8rmXKh81v-v_UYFaetVO-w
