docs/ref/modules/server-api/architecture.md
The Wazuh Server API is a layered system where an HTTP server delegates to a Python framework, which in turn communicates with internal daemons and databases through Unix sockets.
graph TD
A["Client (curl / SDK / Dashboard)"] --> B["Wazuh Server API (REST, JWT, RBAC)"]
B --> C["Wazuh Python Framework"]
C --> D["Core Logic Layer"]
D --> E["Unix sockets (daemons)"]
D --> F["Wazuh Database (WDB)"]
D --> G["Configuration files"]
D --> H["Internal queues"]
style A fill:#f9f,stroke:#333,stroke-width:2px,color:#fff
style B fill:#bbf,stroke:#333,stroke-width:2px,color:#fff
style C fill:#baf,stroke:#333,stroke-width:2px,color:#fff
style D fill:#1ad,stroke:#333,stroke-width:2px,color:#fff
style E fill:#666,stroke:#333,color:#fff
style F fill:#666,stroke:#333,color:#fff
style G fill:#666,stroke:#333,color:#fff
style H fill:#666,stroke:#333,color:#fff
wazuh/framework/wazuh/
This layer:
It must not contain business logic.
| Module | Responsibility | Main Endpoints |
|---|---|---|
agent.py | Agent lifecycle and queries | /agents |
manager.py | Manager status and configuration | /manager |
cluster.py | Cluster operations | /cluster |
syscheck.py | File Integrity Monitoring | /syscheck |
rootcheck.py | Policy and rootcheck | /rootcheck |
security.py | Authentication and users | /security |
rbac/ | Authorization logic | /security/* |
mitre.py | MITRE ATT&CK mappings | /mitre |
stats.py | Manager statistics | /manager/stats |
task.py | Async task handling | /tasks |
wazuh/framework/wazuh/core/
This layer contains all real logic. It is API-agnostic and can be reused internally.
| Component | Description |
|---|---|
agent.py, manager.py, etc. | Business logic implementation |
common.py | Global constants, paths, context variables, and utility functions |
results.py | Standardized result model (WazuhResult, AffectedItemsWazuhResult) |
InputValidator.py | Regex-based input validation (names, lengths) |
utils.py | General utilities (caching, process management, helpers) |
wazuh_socket.py | IPC with Wazuh daemons via Unix sockets |
wazuh_queue.py | Internal async messaging |
wdb.py | Async interface to Wazuh DB (length-prefixed Unix socket protocol) |
wdb_http.py | HTTP-based alternative WDB client (via aiohttp) |
configuration.py | Parse ossec.conf and related files |
exception.py | Custom exception hierarchy and error code catalog |
wlogging.py | Custom log rotation with gzip compression |
pyDaemonModule.py | UNIX daemonization (double-fork pattern) |
stats.py | Statistics processing logic |
cluster/ | Cluster architecture (master, worker, DAPI, HAProxy helper) |
indexer/ | Wazuh Indexer integration (credentials, disconnected agents) |
wazuh/api/api/
This layer implements the HTTP server that exposes the REST API.
| Component | Description |
|---|---|
controllers/ | Route handlers (one per resource: agent, cluster, security, etc.) |
authentication.py | JWT token generation and validation using EC keys (PyJWT) |
middlewares.py | Request/response pipeline (security headers, rate limiting, access logging) |
error_handler.py | Centralized error handling and brute-force protection |
validator.py | Comprehensive regex-based validation for all API input parameters |
signals.py | API lifecycle events and background tasks (key generation, CTI updates) |
constants.py | API filesystem paths (/api/configuration, /api/security, etc.) |
encoder.py | Custom JSON serialization |
uri_parser.py | URI parsing utilities |
alogging.py | Async-aware API logging |
spec/spec.yaml | OpenAPI 3.0 specification (defines all endpoints, schemas, parameters) |
configuration/ | API configuration management |
models/ | Data models for request/response objects |
Each controller wraps framework calls in the DAPI (Distributed API) layer to transparently route requests across cluster nodes.
| Controller | Responsibility |
|---|---|
agent_controller.py | Agent CRUD and lifecycle |
cluster_controller.py | Cluster node operations |
security_controller.py | Users, roles, policies, RBAC |
active_response_controller.py | Trigger active response commands |
syscheck_controller.py | FIM operations |
rootcheck_controller.py | Rootcheck/SCA results |
mitre_controller.py | MITRE ATT&CK mappings |
task_controller.py | Async task queries |
overview_controller.py | Agent overview/summary |
default_controller.py | Basic API info (version, hostname, timestamp) |
wazuh/framework/wazuh/rbac/
| File | Responsibility |
|---|---|
decorators.py | expose_resources decorator that enforces action/resource permissions |
orm.py | ORM models for roles, policies, and user-role mappings |
preprocessor.py | Resource preprocessing before permission checks |
default_resources.py | Built-in default RBAC resource definitions |
auth_context.py | Authentication context handling |
wazuh/framework/wazuh/core/cluster/
| File | Responsibility |
|---|---|
dapi/ | Distributed API — routes requests to the correct cluster node |
master.py | Master node logic |
worker.py | Worker node logic |
client.py | Worker → master communication |
server.py | Cluster server |
local_client.py | Local cluster client |
local_server.py | Local cluster server |
control.py | Cluster control operations |
cluster.py | Core cluster logic |
common.py | Cluster-specific shared utilities |
config.py | Cluster configuration schema |
utils.py | Cluster utilities (get_cluster_items, etc.) |
hap_helper/ | HAProxy integration for load balancing |
wazuh/framework/wazuh/core/indexer/
| File | Responsibility |
|---|---|
indexer.py | Main Wazuh Indexer client |
credential_manager.py | Indexer credential management |
disconnected_agents.py | Handling disconnected agents in the indexer |
max_version_components.py | Version component handling |
Example: GET /agents?status=active
authentication.pyvalidator.py (regex-based)agent_controller.py)local_master, local_any, etc.)wazuh/agent.py) is invokedexpose_resources decoratorcore/agent.py) is executedAffectedItemsWazuhResult or WazuhResultIn cluster deployments, not all requests can be handled by the node receiving them.
The DAPI layer (core/cluster/dapi/) transparently routes requests:
| Routing Mode | Description |
|---|---|
local_master | Must execute on the master node |
local_any | Can execute on any node |
distributed_master | Master distributes to relevant worker nodes |
graph LR
A["Client"] --> B["API Node"]
B --> C{"DAPI"}
C -->|local_master| D["Master Node"]
C -->|local_any| E["Current Node"]
C -->|distributed| F["Worker Node(s)"]
All framework functions return standardized result objects defined in core/results.py:
| Class | Description |
|---|---|
WazuhResult | Base dict-like result wrapper |
AffectedItemsWazuhResult | Tracks affected/failed items with error details |
Results support:
| operator) for combining results across cluster nodesThe framework communicates with Wazuh daemons via Unix domain sockets using a length-prefixed protocol.
WazuhAsyncSocket (in core/wdb.py) handles async socket connections| Socket | Daemon | Purpose |
|---|---|---|
wdb | wazuh-db | Database queries |
queue/sockets/queue | analysisd | Event ingestion |
queue/sockets/auth | authd | Agent registration |
queue/sockets/remote | remoted | Agent communication |
queue/sockets/request | various | Internal requests |
core/wlogging.py)CustomFileRotatingHandler class extends Python's logging to:
0o640api/alogging.py)