Wazuh → Splunk Enterprise Security
Wazuh ↔ Splunk ES: integration to migration path.
Splunk ES is your live correlation engine, so we never flip a switch on it. Wazuh deploys alongside ES first — adding file integrity, compliance scanning and vulnerability coverage Splunk has no first-party answer for — and only then takes over detection content rule by rule. No flag day, no forced re-credentialing, and every phase rolls back in minutes.
The honest exception: the SPL-heavy, RBA-dependent and ESCU-derived correlations may stay on Splunk as a documented residual footprint. We tell you which bucket each rule lands in before Phase 1.
The idea
Add what Wazuh owns first. Move detections last.
The topology that makes this zero-blackout is a parallel HIDS/FIM tier: Wazuh agents sit beside your Splunk forwarders on the same hosts, the Wazuh manager handles decoding, FIM, SCA and syscheck into its own indexer, and ES keeps consuming its accelerated data models untouched. Net-new value lands on Wazuh with no data-path crossover, so nothing about your existing correlations changes. Only once Wazuh is proven do we dual-ship selected sources, migrate detection content per rule, then federate or retire the Splunk tiers — each layer independently, each reversible.
The phases
Seven steps. Each one reversible.
Baseline & inventory
We document every active Splunk ES correlation with its 90-day fire count, every accelerated data model, every ESCU pack, every Notable response action, and ingest cost by sourcetype. Read-only against the Splunk REST API.
Stand up Wazuh alongside
A Wazuh manager and indexer cluster go live in HA. Agents land on a 5% canary in observe-only mode, shipping FIM, SCA, and syscheck to the Wazuh indexer — not to Splunk. Your forwarders and ES content are untouched.
Dual-ship & build a Sigma baseline
Selected low-risk, high-volume sources (web, DNS, EDR telemetry) are teed into both tools through Vector or Cribl, with ECS at the edge and CIM aliases for Splunk. A starter Sigma library lands in Wazuh covering the same intent as low-complexity ES correlations.
Migrate detections per rule, in waves
Each replaceable correlation gets a Wazuh equivalent that shadows ES for 14 days, then runs primary while ES bakes for 7, then ES is disabled. Once a source is fully covered Wazuh-side, its Splunk leg is cut at the shipper, dropping ingest cost.
Federate kept content; cut the indexer tier
ES correlations that depend on RBA, ESCU, or tstats acceleration stay on Splunk; everything else runs against the Wazuh indexer via Federated Search. The Splunk indexer tier shrinks to only the sources kept searches still need.
Retire residual ES (if scope allows)
The hard tail — RBA, tier-1 ESCU, tstats-dependent searches — is either re-implemented Wazuh-side with documented feature loss, or you keep a small Splunk footprint as a deliberate permanent state. We tell you honestly which one you are in.
Decommission Splunk
Forwarders are removed in waves, indexers roll to frozen with Object Lock for the retention window, and the search-head tier shuts down last so analysts keep read access to historical Notables during wind-down. The _audit log is exported for evidence.
Feature parity
Where Wazuh leads, and where ES still wins.
| Capability | Wazuh | Splunk Enterprise Security | Parity |
|---|---|---|---|
| File integrity monitoring | syscheck (FIM) — real-time and scheduled, baseline diff | No first-party FIM; derived from raw audit via SPL | OSS only |
| Compliance config scans | SCA — CIS benchmarks, on-agent | None first-party; ESCU detects, doesn't baseline-scan | OSS only |
| Vulnerability detection | OVAL/NVD feed correlated against agent inventory | None first-party; via add-ons | OSS only |
| Agent / data collection | Wazuh agent (HIDS, FIM, SCA, forwarding, multi-OS) | Universal Forwarder (shipping-only) plus Edge Processor | Partial |
| Decode / rule pipeline | XML decoders and rules on the manager, pre-index | Parse at indexer/HF; rule evaluation at search time | Partial |
| Correlation language | frequency / timeframe plus if_matched_sid / if_matched_group | SPL tstats-against-accelerated-DM correlation searches | SaaS only |
| Curated detection content | Wazuh ruleset plus SigmaHQ (community, unsigned channel) | ESCU (vendor-curated, versioned, signed, framework-tagged) | SaaS only |
| Risk-Based Alerting | None first-party (approximate via per-entity aggregation) | RBA risk index plus risk_object threshold correlations | SaaS only |
| MITRE ATT&CK tagging | 4.4+ rulesets ship mitre blocks | ESCU plus framework analytics (more curated) | Partial |
| SOAR / case management | TheHive / Shuffle / Cortex via webhook | Splunk SOAR (Phantom) plus Investigation Workbench / Notables | SaaS only |
| Retention immutability | Indexer ISM read_only plus Object-Locked S3 snapshots | SmartStore plus frozen-to-S3 Object Lock | At parity |
| Authn / authz and RBAC | OpenSearch-fork Security (roles / tenants) | ES roles plus KV-store workflow RBAC | Partial |
| Cost model | Self-hosted compute and ops; no per-GB ingest licence | Ingest or workload-based plus ES premium | OSS only |
What we're honest about
The caveats most vendors leave out.
SPL has no clean Sigma equivalent
Fifteen years of tstats-against-accelerated-data-models, transaction, streamstats and eventstats do not auto-translate. Realistic Sigma conversion sits under 70%. The complex correlations that catch the real things land in the kept bucket — we hand-rewrite them or keep them on Splunk, and we say which.
Risk-Based Alerting has no first-party answer
Splunk ES aggregates per-entity risk across hundreds of searches into a risk index; Wazuh has no equivalent. We approximate it with frequency rules plus out-of-tool per-entity aggregation and label it an approximation, not RBA. If RBA is central to your SOC, plan to retain a residual Splunk footprint.
ESCU is a curated, signed content channel
Splunk's ESCU packs are vendor-curated, versioned, signed and framework-tagged with a telemetry-back tuning loop. The OSS replacement is a CI-tested Sigma repo plus a Wazuh ruleset overlay that you own — real, but it lags ESCU's cadence. We stand up the curation pipeline rather than pretend the gap away.
Self-hosting means you own uptime and SOC depth
Once Splunk is gone, the Wazuh manager going down stops both alert streams and there is no managed-service SLA. We run it HA across nodes behind a load balancer, sized to your EPS, with a tested DR restore — and we keep Splunk SOAR and Investigation Workbench in scope only where you are staffed to replace them.
Why this beats a flag day
Reversible per rule, soaked before you cancel.
Every detection wave rolls back in under 15 minutes while ES content is disabled rather than deleted, so a bad migration is a single toggle, not an incident. And we never cancel the Splunk contract on a hunch: each replaced correlation soaks at least 30 consecutive days in primary mode at a true-positive rate that meets or beats the ES baseline before its source ingest is cut, and the indexer tier holds a read-only evidence window before decommission. You are never betting the SOC on one big cutover.
See whether your ES content migrates cleanly.
A call with a senior detection engineer. We inventory your correlations by SPL construct, separate the Sigma-portable rules from the RBA and ESCU tail that stays on Splunk, and tell you honestly what the path looks like for your environment.
Map my migration →