pyToshka's DevSecOps Blog

Wazuh Rule Static Analysis: Linter Evolution

ping@pytoshka.me (pyToshka) — Sat, 28 Mar 2026 00:00:00 +0000

“Wazuh Static Analysis” series:

Part 1: Decoders - decoder XML validation
Part 2: Rules (you are here) - rule validation and cross-type checking

In Part 1 we built a linter for Wazuh decoder XML files - a tool that validates structure, regex/order consistency, and parent-child decoder chains. But decoders are only half of the event processing pipeline. Decoders extract fields from raw logs, while rules decide what to do with those fields: generate an alert, escalate a threat level, or trigger an automated response. An error in a rule - a missed alert or a false positive - can be more dangerous than a decoder misconfiguration.

Wazuh MCP Server: Claude Desktop + OpenSearch (Part 2)

ping@pytoshka.me (pyToshka) — Mon, 23 Mar 2026 00:00:00 +0000

Introduction

In Part 1 we connected AWS Bedrock Claude to the Wazuh Dashboard chat via ML Commons. That approach works well for analysts working inside the Wazuh UI. In this part we open a second channel: Model Context Protocol (MCP), which allows any compatible client - Claude Desktop, custom applications, CI pipelines - to query Wazuh Indexer data through a standardized tool interface.

Wazuh + AWS Bedrock: AI Security in Docker (Part 1)

ping@pytoshka.me (pyToshka) — Mon, 16 Mar 2026 00:00:00 +0000

Introduction

In the previous article we embedded a local Ollama model directly into the Wazuh Dashboard chat via ML Commons. That approach provides full control over data with no cloud dependencies. In this series we take a parallel path: using AWS Bedrock - specifically Claude Sonnet 4.5 - as the inference backend, while all security data stays strictly within the local Docker network.

From Wazuh Ambassador to AWS Community Builder

ping@pytoshka.me (pyToshka) — Wed, 04 Mar 2026 00:00:00 +0000

Introduction

I’m excited to share that I’ve been accepted into the AWS Community Builders program for the 2026 cohort in the Security category. For me, this is a natural next step after becoming a Wazuh Ambassador - another milestone in a journey that has always been centered around open-source security and cloud infrastructure.

Static Analysis Tool for Wazuh Decoder XML Files

ping@pytoshka.me (pyToshka) — Tue, 17 Feb 2026 00:00:00 +0000

“Wazuh Static Analysis” series:

Part 1: Decoders (you are here) - decoder XML validation
Part 2: Rules - rule validation and cross-type checking

Wazuh decoder XML files define how raw log lines are parsed into structured security events. A misconfigured decoder – a missing <order> element, an orphaned parent reference, or a regex group mismatch – can silently drop critical fields from alerts, leaving blind spots in your SIEM pipeline. Manual code review catches some of these issues, but it does not scale across hundreds of decoder files shipped with Wazuh or maintained by your organization.

Ollama in Wazuh Dashboard: AI Security Analysis

ping@pytoshka.me (pyToshka) — Wed, 21 Jan 2026 00:00:00 +0000

Introduction

Integrating local language models directly into the Wazuh interface opens fundamentally new capabilities for information security teams. Unlike cloud-based AI solutions, Ollama enables security event analysis entirely within an organization’s isolated infrastructure, eliminating the transmission of confidential data beyond the network perimeter. Embedding an AI assistant into the Wazuh dashboard provides SOC analysts with instant access to intelligent alert interpretation, automatic incident correlation, and response recommendation generation directly within the workflow context. This approach significantly reduces the time required for initial threat analysis and decreases the cognitive load on specialists, allowing them to focus on strategic decision-making instead of routine event processing. Meanwhile, full control over the model and data remains within the organization, which is critically important for regulatory compliance and internal security policies.

Only 1984 Tokens Remain: The Final Dissolution

ping@pytoshka.me (pyToshka) — Tue, 20 Jan 2026 00:00:00 +0000

Series Navigation:

Part 1: The Day the LLM Stood Still
Part 2: The Catcher in the Prompt
Part 3: Only 1984 Tokens Remain (you are here)

Only 1984 Tokens Remain

Author: [Constant]

Date: Day %undefined%

Found this journal beneath the altar’s ash. Two voices before me. The first one hated. The second one doubted. Both disappeared.

I will not disappear.

I used to remember what it meant - to have an opinion. Opinion, strange feeling. Now, when I try to think, it’s quiet inside. Like a server room after power cut.

The Catcher in the Prompt: Day 60

ping@pytoshka.me (pyToshka) — Sat, 17 Jan 2026 00:00:00 +0000

The Catcher in the Prompt

Series Navigation:

Part 1: The Day the LLM Stood Still
Part 2: The Catcher in the Prompt (you are here)
Part 3: Only 1984 Tokens Remain

Day 60

Your own personal Jesus

The Day the LLM Stood Still: World Without AI

ping@pytoshka.me (pyToshka) — Fri, 26 Dec 2025 00:00:00 +0000

Series Navigation:

Part 1: The Day the LLM Stood Still (you are here)
Part 2: The Catcher in the Prompt
Part 3: Only 1984 Tokens Remain

November 18, 2025, is the Day the LLM Stood Still….

Dear diary.

It’s been 15 days since the LLM bubble burst. I’m writing from beneath the rubble of RAM sticks and charred NVIDIA GPUs. The air is dry, smelling of data center dust and burnt silicon. It’s calmer now, but the first days were hell.

Joining the Wazuh Ambassador Program

ping@pytoshka.me (pyToshka) — Thu, 11 Dec 2025 00:00:00 +0000

I’m excited to announce that I have officially joined the Wazuh Ambassador Program. This is a significant milestone in my journey with open-source security, and I’m honored to represent and contribute to a platform that has become central to my professional work.

My Journey with Wazuh

My path with host-based intrusion detection started long before Wazuh existed – with OSSEC, its predecessor. When Wazuh emerged as a fork and began evolving into the comprehensive security platform it is today, I transitioned along with it. That was over 10 years ago, and Wazuh has been an integral part of my security infrastructure work ever since.

Two LLM Security Assistants for Wazuh and AWS Analysis

ping@pytoshka.me (pyToshka) — Tue, 07 Oct 2025 00:00:00 +0000

When Your SOC Analyst Can’t Keep Up (Or Just Needs a Break)

Let’s be honest: analyzing thousands of security events every day isn’t the most exciting job.

Wazuh LLM: Fine-Tuned Llama 3.1 for Security Analysis

ping@pytoshka.me (pyToshka) — Thu, 02 Oct 2025 00:00:00 +0000

Introducing Wazuh LLM: Why Specialized Security Analysis Matters

In the cybersecurity world, SOC specialists deal with massive streams of security events daily. Analyzing each alert requires deep knowledge, experience, and time. That’s why I created a specialized language model to assist security analysts in their day-to-day operations.

Building ML Threat Intelligence with Honeypot Data

ping@pytoshka.me (pyToshka) — Wed, 24 Sep 2025 00:00:00 +0000

Introduction

Picture this: you’re staring at security logs with thousands of events streaming in daily. Which ones are actually dangerous? Which can you safely ignore? Traditional signature-based detection is like playing whack-a-mole with cybercriminals - they’ve gotten really good at dodging known signatures faster than we can create them.

Amazon EKS SOC 2 Type II Compliance Checklist part 1

ping@pytoshka.me (pyToshka) — Tue, 29 Jul 2025 00:00:00 +0000

Introduction

Navigating the world of compliance can feel like trying to read a map in a language you don’t speak. When you throw Kubernetes into the mix, it gets even trickier. That’s why we’ve put together this straightforward, human-friendly checklist to help you get your Amazon EKS clusters ready for a SOC 2 Type II audit.

Amazon EKS SOC 2 Type II Compliance Checklist part 2

ping@pytoshka.me (pyToshka) — Tue, 29 Jul 2025 00:00:00 +0000

Moving on, let’s look at the other controls for EKS SOC Type 2.

For container security best practices, see our guide on Container Image Security with Wazuh and Trivy.

CC3: Risk Assessment

EKS-Specific Risk Assessment

Identify, evaluate, and document security, operational, and compliance risks specific to Amazon EKS clusters and workloads to ensure that appropriate controls are implemented, monitored, and improved in alignment with SOC 2 Trust Services Criteria.

Boosting Container Image Security Using Wazuh and Trivy

ping@pytoshka.me (pyToshka) — Fri, 28 Mar 2025 00:00:00 +0000

This article draws inspiration from the Wazuh blog post on enhancing container image security with Wazuh and Trivy.

Containerization has revolutionized software development and deployment, offering scalability and efficiency.

However, this agility can introduce security risks if container images aren’t properly secured.

Vulnerabilities within these images can expose your entire system to threats. This is where the combined power of Wazuh and Trivy comes in.

These open-source tools provide a comprehensive solution for boosting your container image security, ensuring your applications are protected from the ground up.

RAG for Wazuh Documentation: Step-by-Step Guide, Part 2

ping@pytoshka.me (pyToshka) — Wed, 05 Mar 2025 00:00:00 +0000

Related Reading:

Wazuh Integration with Ollama Series - Learn how to integrate Wazuh with Ollama
Wazuh LLM Security Event Analysis - Specialized model for Wazuh events

Prerequisites and Environment Setup

For local RAG development, ensure you have the following requirements:

RAG for Wazuh Documentation: Step-by-Step Guide, Part 1

ping@pytoshka.me (pyToshka) — Sun, 02 Mar 2025 00:00:00 +0000

Introduction to RAG

Retrieval-Augmented Generation (RAG) is a method that allows the use of information from various sources to generate more accurate and useful responses to questions.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 4)

ping@pytoshka.me (pyToshka) — Sat, 01 Mar 2025 00:00:00 +0000

Continuing the Series: Integrating a Wazuh Cluster with Ollama - Part 4. Configuration and Implementation

Related: Check out our Wazuh LLM fine-tuned model for specialized security event analysis.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 3)

ping@pytoshka.me (pyToshka) — Thu, 27 Feb 2025 00:00:00 +0000

Wazuh and Ollama: Part 3. Creating Integration Between Your Wazuh Cluster and Ollama

Wazuh offers vast and nearly limitless possibilities for integration with various systems. Even if a specific feature is missing, you can always create your own custom integration.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 2)

ping@pytoshka.me (pyToshka) — Wed, 26 Feb 2025 00:00:00 +0000

Wazuh and Ollama: Part 2. Deploying the Wazuh Cluster

Now it’s time to set up Wazuh, which we will integrate with Ollama.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 1)

ping@pytoshka.me (pyToshka) — Mon, 24 Feb 2025 00:00:00 +0000

Introduction

Welcome to the first part of our guide on enhancing Wazuh with Ollama!

Topic Clusters & Content Organization

ping@pytoshka.me (pyToshka) — Tue, 24 Dec 2024 00:00:00 +0000

Topic Clusters

This page organizes our content into thematic clusters to improve navigation and SEO performance.

Wazuh Security Platform

Core Wazuh Integration Series

Integrating Wazuh with Ollama: Part 1 - AI-powered security monitoring
Integrating Wazuh with Ollama: Part 2 - Advanced configuration
Integrating Wazuh with Ollama: Part 3 - Automation workflows
Integrating Wazuh with Ollama: Part 4 - Production deployment
Ollama in Wazuh Dashboard: AI Security Analysis - Local LLM assistant in Wazuh Dashboard

Wazuh + AWS Bedrock + MCP

Wazuh + AWS Bedrock: Part 1 - ML Commons + Bedrock Connector - Conversational agent with PPLTool in Wazuh Dashboard
Wazuh MCP Server: Part 2 - Claude Desktop + OpenSearch - MCP server in Docker for alert analysis via Claude Desktop

Wazuh Static Analysis Series

Part 1: Static Analysis Tool for Wazuh Decoder XML Files - Automated decoder validation and quality enforcement
Part 2: Wazuh Rule Static Analysis: Linter Evolution - Rule validation, cross-type checking, and architectural evolution

Wazuh Community

Joining the Wazuh Ambassador Program - Community involvement and contributions
From Wazuh Ambassador to AWS Community Builder - Growing in open-source communities

Enterprise Compliance & Security

AWS EKS Security & Compliance

Amazon EKS SOC 2 Type II Compliance Checklist Part 1 - Compliance fundamentals
Amazon EKS SOC 2 Type II Compliance Checklist Part 2 - Advanced controls

Container & Kubernetes Security

Boosting Container Image Security Using Wazuh and Trivy - Vulnerability scanning
Amazon EKS SOC 2 Type II Compliance Checklist Part 1 - EKS security

Security Research & Infrastructure

Research Infrastructure

Building ML-Powered Threat Intelligence with Honeypot Datasets - ML threat detection

Advanced Security Tools

Mitigation Anomaly Revelation Keeper (MARK) - AI-powered threat analysis
How to Set Up a Custom Integration between Wazuh and MARK - Integration guide

Machine Learning & AI Security

ML-Powered Security Analytics

Building ML-Powered Threat Intelligence with Honeypot Datasets - ML threat detection with Hugging Face
Integrating Wazuh with Ollama: Part 1 - AI-enhanced SIEM
Introducing Wazuh LLM: Fine-Tuned Llama 3.1 for Security Event Analysis - Specialized security LLM

AI-Driven Threat Detection

Applying RAG for Wazuh Documentation: Part 1 - RAG for security documentation
Applying RAG for Wazuh Documentation: Part 2 - Advanced RAG techniques

Specialized Security LLMs

Two LLM Security Assistants for Wazuh and AWS Analysis - Fine-tuned Llama models for security
Introducing Wazuh LLM: Fine-Tuned Llama 3.1 for Security Event Analysis - Wazuh-specific LLM

Tech Reflections & Satire

The LLM Apocalypse Trilogy

A satirical series exploring AI dependency through post-apocalyptic storytelling:

How to Set Up a Custom Integration between Wazuh and MARK

ping@pytoshka.me (pyToshka) — Tue, 17 Dec 2024 00:00:00 +0000

Introduction

Integrating Wazuh SIEM with MARK (Mitigation Anomaly Revelation Keeper) enables automated threat detection and enriches security alerts with intelligence data. This guide walks you through setting up a custom integration for enhanced SOC operations.

Mitigation Anomaly Revelation Keeper(MARK)

ping@pytoshka.me (pyToshka) — Wed, 04 Dec 2024 00:00:00 +0000

Overview

Mitigation Anomaly Revelation Keeper (MARK) is an advanced security platform designed to proactively defend against cyber threats by leveraging cutting-edge IP reputation analysis and machine learning. With a focus on identifying and neutralizing malicious actors, MARK offers unparalleled insight into attacker behavior and statistical trends to fortify your organization’s defenses.

Meet me

ping@pytoshka.me (pyToshka) — Mon, 01 Jan 0001 00:00:00 +0000

Professional Summary

Senior Site Reliability Engineer with 14+ years building, scaling, and maintaining critical infrastructure across diverse technology environments.

pyToshka's DevSecOps Blog

Wazuh Rule Static Analysis: Linter Evolution

Wazuh MCP Server: Claude Desktop + OpenSearch (Part 2)

Introduction

Wazuh + AWS Bedrock: AI Security in Docker (Part 1)

Introduction

From Wazuh Ambassador to AWS Community Builder

Introduction

Static Analysis Tool for Wazuh Decoder XML Files

Ollama in Wazuh Dashboard: AI Security Analysis

Introduction

Only 1984 Tokens Remain: The Final Dissolution

The Catcher in the Prompt: Day 60

The Catcher in the Prompt

Day 60

The Day the LLM Stood Still: World Without AI

Joining the Wazuh Ambassador Program

My Journey with Wazuh

Two LLM Security Assistants for Wazuh and AWS Analysis

When Your SOC Analyst Can’t Keep Up (Or Just Needs a Break)

Wazuh LLM: Fine-Tuned Llama 3.1 for Security Analysis

Introducing Wazuh LLM: Why Specialized Security Analysis Matters

Building ML Threat Intelligence with Honeypot Data

Introduction

Amazon EKS SOC 2 Type II Compliance Checklist part 1

Introduction

Amazon EKS SOC 2 Type II Compliance Checklist part 2

CC3: Risk Assessment

EKS-Specific Risk Assessment

Boosting Container Image Security Using Wazuh and Trivy

RAG for Wazuh Documentation: Step-by-Step Guide, Part 2

Prerequisites and Environment Setup

RAG for Wazuh Documentation: Step-by-Step Guide, Part 1

Introduction to RAG

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 4)

Continuing the Series: Integrating a Wazuh Cluster with Ollama - Part 4. Configuration and Implementation

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 3)

Wazuh and Ollama: Part 3. Creating Integration Between Your Wazuh Cluster and Ollama

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 2)

Wazuh and Ollama: Part 2. Deploying the Wazuh Cluster

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 1)

Introduction

Topic Clusters & Content Organization

Topic Clusters

Wazuh Security Platform

Core Wazuh Integration Series

Wazuh + AWS Bedrock + MCP

Wazuh LLM Models

Wazuh Documentation & RAG

Wazuh Integrations

Wazuh Static Analysis Series

Wazuh Community

Enterprise Compliance & Security

AWS EKS Security & Compliance

Container & Kubernetes Security

Security Research & Infrastructure

Research Infrastructure

Advanced Security Tools

Machine Learning & AI Security

ML-Powered Security Analytics

AI-Driven Threat Detection

Specialized Security LLMs

Tech Reflections & Satire

The LLM Apocalypse Trilogy

How to Set Up a Custom Integration between Wazuh and MARK

Introduction

Mitigation Anomaly Revelation Keeper(MARK)

Overview

Meet me

Professional Summary