Connect your first data source

You will connect Wazuh as your first data source, install the forwarder on your Wazuh manager, and confirm that events are flowing into Jutsu. Once data lands, the rest of the platform — alerts, triage, and response — comes alive.

Overview

Jutsu ingests security telemetry through the Jutsu Ingest API. For Wazuh, a native forwarder runs on your Wazuh manager, tails the manager's alert stream, and posts batches to the Ingest API using an organization-scoped API key. From there, events are normalized and surfaced as alerts.

Wazuh is the fastest first source, but it is not the only one. Jutsu also ingests:

  • Wazuh — native forwarder on the Wazuh manager (recommended first source).
  • Google Workspace email logs — collected by a poller that periodically pulls email activity.
  • Syslog — forwarded to the Jutsu syslog ingest endpoint.
  • Custom events — posted directly to the Ingest API for sources you integrate yourself.

This page walks through Wazuh. For other sources, follow the matching integration guide.

Prerequisites

Before you start, make sure you have:

  • Admin access to a running Wazuh manager (root or sudo on the host).
  • An admin role in your Jutsu organization so you can generate an ingest API key.
  • Outbound HTTPS connectivity from the Wazuh manager to your Jutsu deployment.

Confirm the exact host, ports, and firewall rules against your deployment.

Install the Wazuh forwarder

  1. In Jutsu, open the Wazuh integration and generate an API key for this manager. Keep it handy — the installer needs it.
  2. On the Wazuh manager, run the one-line installer provided in the integration screen. It downloads the forwarder binary, installs it as a service, and wires it into the manager so new alerts are streamed to the Ingest API.
  3. The forwarder runs as a background service on the manager. It tails the manager's alert output and posts batches to the Jutsu Ingest API — there is no per-alert script to maintain.
  4. Restart the Wazuh manager if the installer prompts you to, so the integration takes effect.

For the complete walkthrough — installer options, service management, architecture, and upgrades — see the Wazuh integration guide.

The installer command, key format, and exact paths are surfaced in your Jutsu deployment's integration screen. Confirm them there rather than hardcoding values.

Verify ingestion

After the forwarder is running, confirm the pipeline end to end:

  1. Generate test activity on a monitored host (for example, a failed SSH login) so Wazuh produces an alert.
  2. On the manager, check that the forwarder service is active and not reporting errors.
  3. In Jutsu, open the Alerts view. Within moments, the corresponding alert should appear with its source set to Wazuh.

When alerts show up in the Alerts view, ingestion is working and triage begins automatically.

Troubleshooting

If no events appear in Jutsu after a few minutes, work through the most common causes:

SymptomLikely causeFix
No events appearingForwarder service not runningCheck the forwarder service status on the manager and start or enable it.
No events appearingInvalid or revoked API keyRegenerate the key in the Wazuh integration screen and rerun the installer.
No events appearingOutbound HTTPS blockedAllow egress from the manager to your Jutsu Ingest API host and port.
No events appearingWazuh isn't producing alertsTrigger known activity (e.g., a failed login) and confirm alerts exist on the manager.
Some events missing or delayedForwarder backlog or rate limitsReview forwarder logs for retries and confirm the manager isn't overloaded.
Events rejectedMalformed or unexpected payloadInspect forwarder logs for ingest errors and confirm the forwarder version matches your deployment.

If you still see no data, confirm the Ingest API hostname and the forwarder version against your deployment before opening a support request.

Next steps