wazuh.itechsmart.dev is iTechSmart's live production Wazuh instance. Every alert that fires on our infrastructure goes through this exact pipeline — classified, remediated, and sealed with Bitcoin-anchored proof-of-fix.
131+ incidents indexed. 0.4s classification. 0.6h MTTR. This is not a demo.
Wazuh detects a security event on your infrastructure: file integrity changes, rootkit activity, vulnerability scans, brute force attempts, or log anomalies. The matching rule fires at the configured severity level.
A custom active response script in ossec.conf sends the full alert payload to the iTechSmart UAIO classify endpoint. Rule ID, level, agent name, and raw syslog data are all included.
UAIO classifies the incident in under 400ms, identifies the root cause, and executes the matching remediation runbook. The fix runs on the affected Wazuh agent. No analyst in the loop.
Terminal output, log diffs, and before/after state are captured, hashed, and anchored to Bitcoin. Your team gets an immutable audit trail for every remediation UAIO performs.
Add this active response block to your Wazuh manager's ossec.conf to route high-severity alerts to UAIO.
<!-- ossec.conf — Wazuh Manager Active Response Configuration -->
<!-- Add this block to your Wazuh manager's ossec.conf -->
<ossec_config>
<!-- Register the custom active response command -->
<command>
<name>itechsmart-uaio</name>
<executable>itechsmart-uaio.sh</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<!-- Trigger on rule levels 8+ (high severity) -->
<active-response>
<command>itechsmart-uaio</command>
<location>server</location>
<level>8</level>
<timeout>60</timeout>
</active-response>
</ossec_config>Drop this script into /var/ossec/active-response/bin/ and make it executable. It reads the Wazuh alert from stdin and sends it to UAIO.
#!/bin/bash
# /var/ossec/active-response/bin/itechsmart-uaio.sh
# Wazuh Active Response script — sends alerts to iTechSmart UAIO
UAIO_API="https://api.itechsmart.dev/v1/classify"
UAIO_KEY="${ITECHSMART_API_KEY}"
# Wazuh passes alert JSON via stdin
read -r ALERT_JSON
# Extract fields from the Wazuh alert
RULE_ID=$(echo "$ALERT_JSON" | jq -r '.parameters.alert.rule.id')
RULE_LEVEL=$(echo "$ALERT_JSON" | jq -r '.parameters.alert.rule.level')
RULE_DESC=$(echo "$ALERT_JSON" | jq -r '.parameters.alert.rule.description')
AGENT_NAME=$(echo "$ALERT_JSON" | jq -r '.parameters.alert.agent.name')
FULL_LOG=$(echo "$ALERT_JSON" | jq -r '.parameters.alert.full_log')
# Send to iTechSmart UAIO
curl -s -X POST "$UAIO_API" \
-H "Authorization: Bearer $UAIO_KEY" \
-H "Content-Type: application/json" \
-d "{
\"source\": \"wazuh\",
\"rule_id\": \"$RULE_ID\",
\"rule_level\": $RULE_LEVEL,
\"rule_description\": \"$RULE_DESC\",
\"agent_name\": \"$AGENT_NAME\",
\"full_log\": \"$FULL_LOG\"
}"
# Response (0.4s):
# {
# "classification": "brute_force_ssh",
# "confidence": 0.96,
# "root_cause": "Repeated SSH failures from 198.51.100.23",
# "remediation_summary": "Blocked IP, rotated keys, hardened sshd",
# "proof_of_fix": "https://proof.itechsmart.dev/fix/wz-9f3a",
# "bitcoin_anchor": "tx:5c2d8e..."
# }Yes. wazuh.itechsmart.dev is our live production Wazuh instance running v4.7.3. Every alert that fires on our own infrastructure goes through this exact integration pipeline. We have 131+ incidents indexed and counting. This is not a demo — it is our production security stack.
Both. The active response configuration works identically on self-hosted Wazuh managers and Wazuh Cloud instances. The only requirement is that your Wazuh manager can reach the iTechSmart API endpoint. For Wazuh Cloud, you configure the active response through the Cloud management console.
You control the threshold. Our production config triggers on level 8+ (high severity), but you can set any level from 1-15. Most teams start at level 10+ to handle only critical events, then lower the threshold as they validate results. You can also target specific rule IDs or rule groups instead of levels.
Wazuh's built-in active responses are static scripts that execute a fixed action (block an IP, kill a process). UAIO goes further: it classifies the incident, determines root cause, selects the right remediation strategy, executes it, verifies the fix, and anchors proof to Bitcoin. Built-in responses are hammers; UAIO is a surgeon.
We run this integration on our own infrastructure every day. Connect your Wazuh instance to iTechSmart UAIO and get the same autonomous remediation pipeline we use in production.