howto

HookProbe + Wazuh Integration: Edge IDS Feeding Wazuh SIEM

HookProbe + Wazuh Integration Guide (2026)

Stream real-time threat detections from HookProbe edge nodes into your Wazuh SIEM. This guide covers the complete integration: log forwarding, custom decoders, correlation rules, and dashboard widgets.

Why integrate? Wazuh excels at log aggregation and compliance reporting. HookProbe excels at AI-native packet inspection on edge devices ($75 Raspberry Pi). Together, you get distributed edge detection feeding centralized SIEM.

Architecture Overview

HookProbe Edge (Pi) → syslog/JSON TCP 514 → Wazuh Manager (Central SIEM)

Quick Start (5 Minutes)

Add this to your HookProbe config (/etc/hookprobe/logshipper.yml):

output:
  syslog:
    enabled: true
    host: wazuh-manager.example.com
    port: 514
    protocol: tcp
    format: json
    facility: local0

HookProbe vs Wazuh Native Detection

CapabilityWazuh Alone+ HookProbe
L7 packet inspectionLimited (Suricata addon)Native (NAPSE engine)
ML threat classificationNoYes (Bayesian ensemble)
eBPF/XDP kernel filterNoYes (wire-speed)
Edge deployment cost$300+ server$75 Raspberry Pi
Compliance reportingExcellentExcellent (Wazuh)

What Wazuh Sees from HookProbe

  • verdict: benign / suspicious / malicious
  • action: monitor / alert / block / cognitive_throttle
  • src_ip, dst_ip, dst_port, protocol
  • anomaly_score: ML confidence (0.0-1.0)
  • intent_class: bruteforce / scan / ddos / exfiltration
  • campaign_id: SENTINEL coordinated attack grouping

Real Production Numbers

From a 60-day production deployment feeding Wazuh:

  • 11 million security events forwarded (180K/day average)
  • 177,000 ML verdicts classified (45% benign, 40% malicious, 13% suspicious)
  • 11,832 unique attacker IPs tracked
  • 3,845 IoCs generated and shared with Wazuh

FAQ

Does HookProbe replace Wazuh?

No — they are complementary. HookProbe handles edge packet inspection and ML classification. Wazuh handles log aggregation, compliance reporting, and centralized analysis.

What happens if Wazuh is unreachable?

HookProbe queues events locally (up to 1GB) and replays them when Wazuh comes back online. The edge node continues blocking threats autonomously regardless of SIEM connectivity.

Can I run HookProbe on the Wazuh manager host?

Not recommended. HookProbe is designed to run on edge devices (Raspberry Pi, mini PCs) close to the network it monitors.

Getting Started

git clone https://github.com/hookprobe/hookprobe.git
cd hookprobe
sudo ./install.sh --tier guardian --siem-target wazuh-manager.example.com

View source on GitHub or read the documentation.

Ready to secure your network?

HookProbe delivers AI-native intrusion detection on affordable hardware.

View Pricing GitHub