To use AI for threat hunting with Wazuh, install Ollama with a local LLM (Llama 3), connect a Python script to the Wazuh event files and run natural-language queries against your security logs. Everything runs locally, without sending data outside.
What do we achieve with this integration?
- Conversational analysis: Query security logs in natural language ("Have there been any failed SSH attempts today?")
- Smart detection: The AI identifies suspicious patterns that could go unnoticed
- Fast response: Reduces investigation time from hours to minutes
- Total privacy: Everything runs locally, without sending data to third parties
How do you enable the JSON event file in Wazuh?
Wazuh needs to store all events in JSON format so the AI can analyze them. Edit the server configuration:
# Edit Wazuh configuration
sudo nano /var/ossec/etc/ossec.conf
# Find the <global> section and make sure it is configured:
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
# Restart Wazuh
sudo systemctl restart wazuh-manager
This will create the /var/ossec/logs/archives/archives.json file with all the security logs.
How do you install Ollama and a local LLM?
Ollama is a tool that lets you run language models (LLMs) locally with ease. We are going to install Ollama and download the Llama 3 model:
# Install Ollama
curl -fsSL https://ollama.com/install.sh | sh
# Download the Llama 3 model (8B parameters, ~4.7GB)
ollama pull llama3
# Verify it works
ollama run llama3 Note: The first ollama pull will download several GB. If your server has little RAM, you can use lighter models such as llama3:7b or phi3:mini.
Which Python dependencies do you need to install?
The threat hunting chatbot is written in Python and uses several libraries for natural language processing:
# Update system and install Python
sudo apt update && sudo apt install python3 python3-pip -y
# Install the required dependencies
pip3 install paramiko python-daemon langchain langchain-community \
langchain-ollama langchain-huggingface faiss-cpu sentence-transformers \
transformers pytz fastapi uvicornThis will install:
- LangChain: Framework for building applications with LLMs
- FAISS: Vector search engine for embeddings
- FastAPI: Web framework for the chatbot
- Transformers: HuggingFace NLP models
How do you download and install the AI threat hunting script?
The threat_hunter.py script is the heart of the integration. We will download it from the official Wazuh repository:
# Download the script
cd /var/ossec/integrations/
sudo wget https://raw.githubusercontent.com/wazuh/wazuh-tools/master/ai-threat-hunting/threat_hunter.py
# Grant execution permissions
sudo chmod +x threat_hunter.py
sudo chown root:wazuh threat_hunter.pyHow do you configure the Wazuh credentials for the script?
Before running the chatbot, you need to configure the access credentials. Open the script and find the following lines to modify them:
# Edit the script
sudo nano /var/ossec/integrations/threat_hunter.py
# Find and replace:
USERNAME = "admin" # User to access the chatbot
PASSWORD = "YourSecurePassword123" # Chatbot password
# If Wazuh is on another server (optional):
SSH_HOST = "192.168.1.100" # IP of the Wazuh server
SSH_USERNAME = "wazuh"
SSH_PASSWORD = "password_ssh"Important: Use a strong password for the chatbot, since it will have access to all the security logs.
How do you start the AI threat hunting chatbot?
Everything is ready! Now let's start the chatbot:
# Run the chatbot (in the foreground for testing)
sudo python3 /var/ossec/integrations/threat_hunter.py
# You will see a message like:
# INFO: Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)Open your browser and go to: http://<SERVER_IP>:8000
How do you use the threat hunting chatbot to analyze logs?
Once inside the chatbot, you can ask questions in natural language. Some useful commands:
/help- Shows the help menu/set days 7- Analyzes events from the last 7 days (range: 1-365)/reload- Reloads the vector database with new events
Example questions:
- "Have there been any failed SSH access attempts in the last 24 hours?"
- "Show me critical alerts of level 12 or higher"
- "Which users have modified system files recently?"
- "Analyze suspicious activity on the web-prod-01 server"
How do you run the AI chatbot as a service on Linux?
To keep the chatbot running permanently in the background, create it as a systemd service:
# Create service file
sudo nano /etc/systemd/system/wazuh-threat-hunter.service
# Content:
[Unit]
Description=Wazuh AI Threat Hunter Chatbot
After=network.target wazuh-manager.service
[Service]
Type=simple
User=root
WorkingDirectory=/var/ossec/integrations
ExecStart=/usr/bin/python3 /var/ossec/integrations/threat_hunter.py
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
# Enable and start the service
sudo systemctl daemon-reload
sudo systemctl enable wazuh-threat-hunter.service
sudo systemctl start wazuh-threat-hunter.service
# Check status
sudo systemctl status wazuh-threat-hunter.serviceWhat can you do next with this integration?
In upcoming articles I will publish real screenshots showing:
- Examples of chatbot queries and responses
- Practical use cases for threat detection
- Advanced configurations and performance tuning
- Integration with custom Wazuh dashboards
Conclusion
Integrating AI into Wazuh transforms the way you do threat hunting: from manually searching logs for hours, to asking questions in natural language and receiving contextualized analysis in seconds.
The best part: Everything runs locally with open-source models, without depending on external services or compromising the privacy of your security data.
If you need help with the professional implementation of Wazuh or this AI integration in your company, request a free consultation here.
Original source: Wazuh Blog - Leveraging Artificial Intelligence for Threat Hunting