Load Wazuh data in Python using dltHub

In this guide, we'll set up a complete Wazuh data pipeline from API credentials to your first data load in just 10 minutes. You'll end up with a fully declarative Python pipeline based on dlt's REST API connector, like in the partial example code below:

Example code
@dlt.source
def wazuh_source(access_token=dlt.secrets.value):
    config: RESTAPIConfig = {
        "client": {
            "base_url": "https://127.0.0.1:55000/agents/004/group",
            "auth": {
                "type": "bearer",
                "token": access_token,
            }
        },
        "resources": [
            "webserver", "dmz"
        ],
    }
    [...]
    yield from rest_api_resources(config)


def get_data() -> None:
    # Connect to destination
    pipeline = dlt.pipeline(
        pipeline_name='wazuh_pipeline',
        destination='duckdb',
        dataset_name='wazuh_data', 
    )
    # Load the data
    load_info = pipeline.run(wazuh_source())
    print(load_info) 

Why use dltHub Workspace with LLM Context to generate Python pipelines?

• Accelerate pipeline development with AI-native context
• Debug pipelines, validate schemas and data with the integrated Pipeline Dashboard
• Build Python notebooks for end users of your data
• Low maintenance thanks to Schema evolution with type inference, resilience and self documenting REST API connectors. A shallow learning curve makes the pipeline easy to extend by any team member
• dlt is the tool of choice for Pythonic Iceberg Lakehouses, bringing mature data loading to pythonic Iceberg with or without catalogs

What you’ll do

We’ll show you how to generate a readable and easily maintainable Python script that fetches data from wazuh’s API and loads it into Iceberg, DataFrames, files, or a database of your choice. Here are some of the endpoints you can load:

• Cluster Endpoints: Information and configuration related to cluster health and worker stats.

  • /cluster/worker-1/info?pretty: Provides information about a specific worker in the cluster.
  • /cluster/config?pretty: Shows the configuration settings of the cluster.
  • /cluster/healthcheck?pretty: Checks the health status of the cluster.
  • /cluster/worker-1/stats/remoted?pretty: Retrieves remote statistics for a specific worker.

• Agent Endpoints: Endpoints for managing and retrieving information about agents.

  • /agents/outdated?pretty: Lists agents that are outdated.
  • /agents?older_than=10s&purge&ids=003,005&pretty: Retrieves a list of agents with options for purging and filtering.
  • /summary/agents?pretty: Provides a summary of all agents.
  • /agents/003/upgrade_result?pretty: Shows the upgrade results for a specific agent.

• Syscheck Endpoints: Manage and check system configurations and checks.

  • /syscheck?pretty: Retrieves general information about system checks.
  • /syscheck/000?offset=0&limit=2&pretty: Shows specific system check details with pagination.

• Decoder Endpoints: Information related to decoders for logs.

  • /decoders/parents?pretty&offset=0&limit=2&sort=-file: Lists parent decoders with options for pagination and sorting.
  • /decoders/apache-errorlog?pretty: Retrieves information about the Apache error log decoder.

• Syscollector Endpoints: Information related to system collector packages and hotfixes.

  • /syscollector/000/packages?pretty&limit=2&offset=10&sort=-name: Lists system collector packages with pagination and sorting options.
  • /experimental/syscollector/packages?pretty&sort=-name&limit=2: Retrieves experimental system collector packages with sorting.

• Experimental Endpoints: Various experimental features and functionalities.

  • /experimental/ciscat/results?pretty&sort=-score: Retrieves results from the Ciscat tool, sorted by score.

• Manager Endpoints: Management-related logs and configurations.

  • /manager/configuration/validation?pretty: Validates the configuration settings in the manager.
  • /manager/logs/summary?pretty: Summarizes logs managed by the system.

• Rules Endpoints: Access to specific rules in the system.

  • /rules/pci?offset=0&limit=10&pretty: Retrieves PCI-related rules with pagination options.

You will then debug the Wazuh pipeline using our Pipeline Dashboard tool to ensure it is copying the data correctly, before building a Notebook to explore your data and build reports.

Setup & steps to follow

💡
Before getting started, let's make sure Cursor is set up correctly:

We suggest using a model like Claude 3.7 Sonnet or better
Index the REST API Source tutorial: https://dlthub.com/docs/dlt-ecosystem/verified-sources/rest_api/ and add it to context as @dlt rest api
Read our full steps on setting up Cursor

Now you're ready to get started!

1. ⚙️ Set up dlt Workspace

   Install dlt with duckdb support:

   Copy
   pip install "dlt[workspace]"

   Initialize a dlt pipeline with Wazuh support.

   Copy
   dlt init dlthub:wazuh duckdb

   The init command will setup the necessary files and folders for the next step.

2. 🤠 Start LLM-assisted coding

   Here’s a prompt to get you started:

   Prompt
   Copy
   Please generate a REST API Source for Wazuh API, as specified in @wazuh-docs.yaml 
   Start with endpoints webserver and dmz and skip incremental loading for now. 
   Place the code in wazuh_pipeline.py and name the pipeline wazuh_pipeline. 
   If the file exists, use it as a starting point. 
   Do not add or modify any other files. 
   Use @dlt rest api as a tutorial. 
   After adding the endpoints, allow the user to run the pipeline with python wazuh_pipeline.py and await further instructions.

3. 🔒 Set up credentials

   Wazuh API endpoints require authentication via a JSON Web Token (JWT), which can be obtained by performing a call with basicAuth to POST /security/user/authenticate, and all calls must include this JWT; tokens have a default duration of 900 seconds.

   To get the appropriate API keys, please visit the original source at https://documentation.wazuh.com/current/user-manual/api/reference.html. If you want to protect your environment secrets in a production environment, look into setting up credentials with dlt.

4. 🏃‍♀️ Run the pipeline in the Python terminal in Cursor

   Copy
   python wazuh_pipeline.py

   If your pipeline runs correctly, you’ll see something like the following:

   Copy
   Pipeline wazuh load step completed in 0.26 seconds
   1 load package(s) were loaded to destination duckdb and into dataset wazuh_data
   The duckdb destination used duckdb:/wazuh.duckdb location to store data
   Load package 1749667187.541553 is LOADED and contains no failed jobs

5. 📈 Debug your pipeline and data with the Pipeline Dashboard

   Now that you have a running pipeline, you need to make sure it’s correct, so you do not introduce silent failures like misconfigured pagination or incremental loading errors. By launching the dlt Workspace Pipeline Dashboard, you can see various information about the pipeline to enable you to test it. Here you can see:

   • Pipeline overview: State, load metrics
   • Data’s schema: tables, columns, types, hints
   • You can query the data itself

   Copy
   dlt pipeline wazuh_pipeline show

6. 🐍 Build a Notebook with data explorations and reports

   With the pipeline and data partially validated, you can continue with custom data explorations and reports. To get started, paste the snippet below into a new marimo Notebook and ask your LLM to go from there. Jupyter Notebooks and regular Python scripts are supported as well.

   Copy
   import dlt
   
   data = dlt.pipeline("wazuh_pipeline").dataset()
   # get "webserver" table as Pandas frame
   data."webserver".df().head()

Extra resources:

• Learn more with our 1h LLM-assisted coding course!

Next steps

• How to deploy a pipeline
• How to explore your data in marimo Notebooks
• How to query your data in Python with dataset
• How to create REST API Sources with Cursor