Phase 4: Deploying
Deployment installs the integration onto the Wazuh manager (or agent) and activates it in the SIEM pipeline. The process is the same regardless of which vendor API the integration targets.
Deployment targets
The wodle can run on three hosts — the choice does not affect the code:
| Target | When to use | Credential location |
|---|---|---|
| Wazuh manager (default) | Simplest deployment. Single-node or master in a cluster. | On the manager host |
| Dedicated agent host | Credentials isolated from manager. Polling independent of manager restarts. | On the agent host |
| Existing agent | Any agent with network access to the vendor API (SOAR server, jump host). | On the agent host |
Standard deployment steps
1. Copy wodle files
# Create wodle directory
sudo mkdir -p /var/ossec/wodles/vendorname/
# Copy Python and shell files
sudo cp wodle/* /var/ossec/wodles/vendorname/
# Set permissions
sudo chown -R root:wazuh /var/ossec/wodles/vendorname/
sudo chmod 750 /var/ossec/wodles/vendorname/run.sh
sudo chmod 750 /var/ossec/wodles/vendorname/vendorname.py
sudo chmod 640 /var/ossec/wodles/vendorname/vendorname_*.py
2. Configure credentials
# Create secrets file from template
sudo cp /var/ossec/wodles/vendorname/.secrets.example /var/ossec/wodles/vendorname/.secrets
# Edit with your credentials
sudo nano /var/ossec/wodles/vendorname/.secrets
# Lock down permissions
sudo chown root:wazuh /var/ossec/wodles/vendorname/.secrets
sudo chmod 640 /var/ossec/wodles/vendorname/.secrets
3. Install decoder and rules
# Copy decoder
sudo cp rules/vendorname_decoder.xml /var/ossec/etc/decoders/
# Copy rules
sudo cp rules/vendorname_rules.xml /var/ossec/etc/rules/
4. Add wodle stanza to ossec.conf
Add the wodle block from artifacts/configs/ossec_vendorname.conf to /var/ossec/etc/ossec.conf:
<ossec_config>
<wodle name="command">
<disabled>no</disabled>
<tag>vendorname</tag>
<command>/var/ossec/wodles/vendorname/run.sh</command>
<interval>5m</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>120</timeout>
</wodle>
</ossec_config>
Key settings:
interval— polling frequency. 5 minutes is the standard default. Adjust based on rate limit budget.timeout— maximum execution time. Set to 2-3x the expected run duration. Prevents hung processes.run_on_start— execute immediately on manager start, do not wait for first interval.ignore_output— must benofor events to enter the pipeline.
5. Restart Wazuh manager
sudo systemctl restart wazuh-manager
6. Verify
# Check manager started cleanly
sudo systemctl status wazuh-manager
# Watch for integration events
tail -f /var/ossec/logs/alerts/alerts.json | jq 'select(.rule.groups[] == "vendorname")'
Dashboards (optional)
If the integration includes pre-built dashboards:
- Open Wazuh Dashboard > Stack Management > Saved Objects
- Click Import
- Upload the
.ndjsonfile(s) fromartifacts/objects/ - Navigate to the imported dashboard
Post-deployment verification
- Events appear in OpenSearch within one polling interval
- Rule IDs and severity levels match expectations
- State file is being created and updated (check timestamps)
- No errors in
/var/ossec/logs/ossec.logrelated to the wodle - Credential file permissions are
640withroot:wazuhownership - Wodle process runs as the
wazuhuser (not root)