Wazuh
Wazuh is the fastest way to start sending security telemetry to Jutsu. A native forwarder runs on your Wazuh manager, tails the manager's alert stream, and posts batches to the Jutsu Ingest API, where each alert is normalized and surfaced for triage.
Overview
The forwarder authenticates to the Ingest API with an organization-scoped API key and posts Wazuh alerts to the Wazuh webhook route on the Ingest API (for example, POST /webhooks/wazuh). Jutsu validates the key, indexes the events for your organization, and queues them for normalization into alerts.
Confirm the exact Ingest API host, base path, and webhook route against your deployment.
What this enables
Once Wazuh alerts are flowing, Jutsu:
- Surfaces each Wazuh alert in the Alerts view with its rule context and affected asset.
- Lets AI agents triage and prioritize alerts automatically so analysts focus on what matters first.
- Correlates related alerts into incidents and makes them actionable through AgentSOAR response.
Prerequisites
Before you start, make sure you have:
- Admin access to a running Wazuh manager (root or sudo on the host).
- An admin role in your Jutsu organization so you can generate an ingest API key.
- Outbound HTTPS connectivity from the Wazuh manager to your Jutsu deployment.
Confirm the exact host, ports, and firewall rules against your deployment.
Install the forwarder
- In Jutsu, open the Wazuh integration and generate an API key for this manager. Keep it handy — the installer needs it.
- On the Wazuh manager, run the hosted one-line installer surfaced in the integration screen. It downloads the forwarder, installs it as a background service, and wires it into the manager so new alerts stream to the Ingest API.
- The forwarder runs as a service and tails the manager's alert output, posting batches automatically — there is no per-alert script to maintain.
- Restart the Wazuh manager if the installer prompts you to, so the integration takes effect.
The installer command, API key format, and exact paths are surfaced in your Jutsu deployment's integration screen. Confirm them there rather than hardcoding values.
Verify ingestion
After the forwarder is running, confirm the pipeline end to end:
- Generate test activity on a monitored host (for example, a failed SSH login) so Wazuh produces an alert.
- On the manager, confirm the forwarder service is active and not reporting errors in its logs.
- In Jutsu, open the Alerts view. Within moments, the corresponding alert should appear with its source set to Wazuh.
When alerts show up in the Alerts view, ingestion is working and triage begins automatically.
Troubleshooting
If no alerts arrive in Jutsu after a few minutes, work through the most common causes:
| Symptom | Likely cause | Fix |
|---|---|---|
| No alerts arriving | Forwarder service not running | Check the forwarder service status on the manager and start or enable it. |
| No alerts arriving | Invalid or revoked API key | Regenerate the key in the Wazuh integration screen and rerun the installer. |
| No alerts arriving | Outbound HTTPS blocked | Allow egress from the manager to your Jutsu Ingest API host and port. |
| No alerts arriving | Wazuh isn't producing alerts | Trigger known activity (e.g., a failed login) and confirm alerts exist on the manager. |
| Alerts delayed or batched slowly | Forwarder backlog or rate limiting | Review forwarder logs for retries and confirm the manager isn't overloaded. |
| Alerts rejected | Malformed or unexpected payload | Inspect forwarder logs for ingest errors and confirm the forwarder version matches your deployment. |
If you still see no data, confirm the Ingest API hostname and the forwarder version against your deployment before opening a support request.
Related
- Connect your first data source — guided Wazuh setup and verification.
- Alerts — work Wazuh alerts once data is flowing.
- Integrations — see all available and roadmap sources.