osquery vs Wazuh
GitHub Stats
About osquery
osquery, developed at Facebook, exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data - running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and hundreds of other system attributes are all available as SQL tables. For security teams, this means you can query your fleet in real-time: 'SELECT * FROM processes WHERE name LIKE \'%miner%\'' finds cryptominers, 'SELECT * FROM listening_ports WHERE port = 4444' finds suspicious listeners. osquery supports scheduled queries that log differential changes over time, making it powerful for continuous security monitoring and compliance verification. It runs on Linux, macOS, Windows, and FreeBSD, and integrates with fleet management tools like Fleet (formerly Kolide) for centralized querying and alerting across thousands of endpoints.
About Wazuh
Wazuh is a free, open-source security platform that provides unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities. It consists of an agent deployed on endpoints and a central server that collects, analyzes, and correlates security data. Wazuh performs real-time log analysis, file integrity monitoring, rootkit detection, vulnerability assessment, configuration compliance checking (CIS, PCI DSS, HIPAA, NIST), and active response. It detects threats using rules that correlate events from multiple sources, including endpoint logs, cloud services (AWS, Azure, GCP), containers, and network devices. Wazuh integrates with Elasticsearch and OpenSearch for log storage and visualization, and includes a custom dashboard for security operations. Its open-source nature and comprehensive feature set make it a popular alternative to commercial SIEM solutions.
Platform Support
Tags
Shared
osquery only
Wazuh only