Understanding How Loki Labs Secures Your Endpoints with Wazuh
In this overview, we’ll explain the basics of Wazuh’s architecture, what it means for you, and answer key technical questions — like which network ports need to be open for smooth operation.
Core Components of Wazuh Architecture
Wazuh is designed with flexibility and security in mind, combining several key components to create a comprehensive monitoring system.
Agents: Monitoring Your Endpoints
The main component we install on your protected devices (servers, laptops, workstations) is the Wazuh agent.
This lightweight software gathers security data — including logs, file changes, and vulnerability reports — and securely sends it to Loki Labs' monitoring systems for analysis.
Agentless Monitoring for Network Devices
For certain devices like firewalls, routers, and switches where installing software isn't practical, we can still monitor them without an agent.
These devices send logs directly to our systems via Syslog, SSH, or API integrations.
How the Central Wazuh Server Works
The central Wazuh server at Loki Labs is where your endpoint data is processed.
It:
- Decodes and analyzes incoming security data.
- Matches activity against known rules and threat patterns.
- Generates alerts for anything suspicious.
Each alert includes helpful details, like what rule was triggered, making it easier for our analysts to respond quickly.
Security: How We Keep Your Data Safe
Whenever a Wazuh agent communicates with our server, it uses AES encryption (128-bit blocks, 256-bit keys) to ensure confidentiality and integrity.
TLS for All Internal Communications
Internally, every connection between components uses TLS encryption to prevent eavesdropping and tampering.
Important Network Ports You Need Open
To ensure your Wazuh agent works correctly with Loki Labs' systems, certain network ports must be open:
Wazuh Server Ports
Service | Port | Protocol | Description |
Agent Connection | 1514 | TCP/UDP | Your endpoint sends data here |
Agent Enrollment | 1515 | TCP | Used during agent registration |
Cluster Communication | 1516 | TCP | Internal server communication |
Syslog Collection (optional) | 514 | UDP/TCP | For agentless devices |
RESTful API | 55000 | TCP | Dashboard communication |
⚡ Important Note: Loki Labs handles all internal communication security.
You primarily need to ensure outbound access to port 1514/TCP for the agent to talk to us.
How Your Endpoint Data Flows
- Your agent connects securely to our Wazuh server over port 1514.
- We analyze all incoming events and match them against security rules.
- When something suspicious is found, an alert is triggered and securely stored.
You get real-time protection and expert monitoring without having to manage Wazuh directly.
Dashboard Access
Through our custom dashboards, you can:
- View alerts
- Check endpoint health
- Understand high-level security trends
All dashboard communications are protected with TLS encryption and authenticated securely.
Rapid Threat Detection and Response
Real-time analysis, powerful rulesets, and our expert SOC team combine to give you fast, effective security responses.
At Loki Labs, we use Wazuh behind the scenes to provide powerful, secure monitoring for your systems.
Thanks to strong encryption, smart architecture, and years of expertise, we keep your environments protected 24/7 — while you stay focused on your business.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article