diff --git a/package/secubox/secubox-wazuh-manager/Makefile b/package/secubox/secubox-wazuh-manager/Makefile
new file mode 100644
index 00000000..065372c1
--- /dev/null
+++ b/package/secubox/secubox-wazuh-manager/Makefile
@@ -0,0 +1,56 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=secubox-wazuh-manager
+PKG_VERSION:=1.0.0
+PKG_RELEASE:=1
+
+PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>
+PKG_LICENSE:=GPL-2.0
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/secubox-wazuh-manager
+  SECTION:=secubox
+  CATEGORY:=SecuBox
+  SUBMENU:=Security
+  TITLE:=Wazuh Manager LXC Container
+  DEPENDS:=+lxc +lxc-attach +lxc-start +lxc-stop +lxc-info +curl +bash
+  PKGARCH:=all
+endef
+
+define Package/secubox-wazuh-manager/description
+  Wazuh Manager SIEM stack in LXC container.
+
+  Includes:
+  - Wazuh Manager: Agent management and analysis
+  - Wazuh Indexer: OpenSearch-based alert storage
+  - Wazuh Dashboard: Web UI for visualization
+
+  Provides complete SIEM/XDR platform for SecuBox.
+
+  Requirements:
+  - 4GB+ RAM recommended
+  - 20GB+ storage
+
+  CLI: wazuh-managerctl
+endef
+
+define Package/secubox-wazuh-manager/conffiles
+/etc/config/wazuh-manager
+endef
+
+define Build/Compile
+endef
+
+define Package/secubox-wazuh-manager/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) ./files/usr/sbin/wazuh-managerctl $(1)/usr/sbin/
+
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/etc/config/wazuh-manager $(1)/etc/config/
+
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/wazuh-manager $(1)/etc/init.d/
+endef
+
+$(eval $(call BuildPackage,secubox-wazuh-manager))
diff --git a/package/secubox/secubox-wazuh-manager/README.md b/package/secubox/secubox-wazuh-manager/README.md
new file mode 100644
index 00000000..de27adc6
--- /dev/null
+++ b/package/secubox/secubox-wazuh-manager/README.md
@@ -0,0 +1,171 @@
+# SecuBox Wazuh Manager
+
+Complete Wazuh SIEM/XDR stack in LXC container for SecuBox.
+
+## Components
+
+| Component | Description | Port |
+|-----------|-------------|------|
+| **Wazuh Manager** | Agent management, log analysis, threat detection | 1514, 1515, 55000 |
+| **Wazuh Indexer** | OpenSearch-based alert storage and search | 9200 |
+| **Wazuh Dashboard** | Web UI for visualization and management | 5601 |
+
+## Requirements
+
+- **RAM**: 4GB+ recommended (minimum 2GB)
+- **Storage**: 20GB+ for indexes
+- **LXC**: Container support on OpenWrt
+
+## Quick Start
+
+```bash
+# Install Wazuh Manager (takes 10-15 minutes)
+wazuh-managerctl install
+
+# Start the container
+wazuh-managerctl start
+
+# Configure HAProxy for external access
+wazuh-managerctl configure-haproxy
+
+# Check status
+wazuh-managerctl status
+```
+
+## CLI Reference
+
+### Installation
+| Command | Description |
+|---------|-------------|
+| `wazuh-managerctl install` | Create and setup Wazuh LXC container |
+| `wazuh-managerctl uninstall` | Remove container and data |
+| `wazuh-managerctl upgrade` | Upgrade to latest version |
+
+### Service Control
+| Command | Description |
+|---------|-------------|
+| `wazuh-managerctl start` | Start container |
+| `wazuh-managerctl stop` | Stop container |
+| `wazuh-managerctl restart` | Restart container |
+| `wazuh-managerctl status` | Show status |
+
+### Configuration
+| Command | Description |
+|---------|-------------|
+| `wazuh-managerctl configure-haproxy` | Setup HAProxy vhost |
+| `wazuh-managerctl configure-firewall` | Open firewall ports |
+
+### Agent Management
+| Command | Description |
+|---------|-------------|
+| `wazuh-managerctl list-agents` | List registered agents |
+| `wazuh-managerctl agent-info <id>` | Show agent details |
+| `wazuh-managerctl remove-agent <id>` | Remove agent |
+
+### API & Monitoring
+| Command | Description |
+|---------|-------------|
+| `wazuh-managerctl api-status` | Check API status |
+| `wazuh-managerctl api-token` | Generate API token |
+| `wazuh-managerctl logs [service]` | Show logs |
+| `wazuh-managerctl alerts [n]` | Show recent alerts |
+| `wazuh-managerctl stats` | Cluster statistics |
+
+### Shell Access
+| Command | Description |
+|---------|-------------|
+| `wazuh-managerctl shell` | Open bash in container |
+| `wazuh-managerctl exec <cmd>` | Execute command |
+
+## UCI Configuration
+
+```
+config wazuh_manager 'main'
+    option enabled '1'
+    option container_name 'wazuh'
+    option lxc_path '/srv/lxc'
+    option data_path '/srv/wazuh'
+
+config network 'network'
+    option ip_address '192.168.255.50'
+    option gateway '192.168.255.1'
+    option bridge 'br-lan'
+
+config ports 'ports'
+    option manager '1514'
+    option api '55000'
+    option dashboard '5601'
+```
+
+## Architecture
+
+```
+                    ┌─────────────────────────────────────┐
+                    │       Wazuh LXC Container           │
+                    │                                     │
+  Agents ──────────►│  ┌─────────────┐  ┌─────────────┐  │
+  (1514/TCP)        │  │   Manager   │  │   Indexer   │  │
+                    │  │  Analysis   │──│  OpenSearch │  │
+  API ─────────────►│  └─────────────┘  └─────────────┘  │
+  (55000/HTTPS)     │         │                │         │
+                    │         ▼                ▼         │
+  Dashboard ───────►│      ┌───────────────────────┐     │
+  (5601/HTTP)       │      │      Dashboard        │     │
+                    │      │   Visualization UI    │     │
+                    │      └───────────────────────┘     │
+                    └─────────────────────────────────────┘
+```
+
+## Connecting Agents
+
+On SecuBox (with secubox-app-wazuh installed):
+
+```bash
+# Configure agent to connect to manager
+wazuhctl configure 192.168.255.50
+
+# Register agent
+wazuhctl register
+
+# Start agent
+wazuhctl start
+```
+
+## Default Credentials
+
+| Service | Username | Password |
+|---------|----------|----------|
+| Dashboard | admin | admin |
+| API | wazuh | wazuh |
+
+**Change passwords after installation!**
+
+## HAProxy Integration
+
+After running `wazuh-managerctl configure-haproxy`:
+
+- Dashboard: `https://wazuh.gk2.secubox.in`
+- Uses wildcard SSL certificate
+- WAF bypass enabled for WebSocket support
+
+## Data Persistence
+
+Data is stored outside the container:
+
+| Path | Contents |
+|------|----------|
+| `/srv/wazuh/manager` | Agent keys, rules, decoders |
+| `/srv/wazuh/indexer` | Alert indexes |
+
+## Integration with SecuBox
+
+- **CrowdSec**: Agents monitor CrowdSec logs
+- **File Integrity**: Monitor `/etc/config`, `/etc/init.d`
+- **Firewall**: Analyze firewall logs
+- **HAProxy**: Track web traffic patterns
+
+## References
+
+- [Wazuh Documentation](https://documentation.wazuh.com/)
+- [Wazuh GitHub](https://github.com/wazuh/wazuh)
+- [Wazuh Docker](https://github.com/wazuh/wazuh-docker)
diff --git a/package/secubox/secubox-wazuh-manager/files/etc/config/wazuh-manager b/package/secubox/secubox-wazuh-manager/files/etc/config/wazuh-manager
new file mode 100644
index 00000000..be82c372
--- /dev/null
+++ b/package/secubox/secubox-wazuh-manager/files/etc/config/wazuh-manager
@@ -0,0 +1,38 @@
+config wazuh_manager 'main'
+	option enabled '0'
+	option container_name 'wazuh'
+	option lxc_path '/srv/lxc'
+	option data_path '/srv/wazuh'
+
+config network 'network'
+	option ip_address '192.168.255.50'
+	option gateway '192.168.255.1'
+	option bridge 'br-lan'
+
+config ports 'ports'
+	option manager '1514'
+	option manager_tcp '1515'
+	option api '55000'
+	option indexer '9200'
+	option dashboard '5601'
+
+config resources 'resources'
+	option memory_limit '4G'
+	option cpu_shares '1024'
+
+config haproxy 'haproxy'
+	option enabled '1'
+	option domain 'wazuh.gk2.secubox.in'
+	option dashboard_port '5601'
+
+config indexer 'indexer'
+	option cluster_name 'wazuh-cluster'
+	option node_name 'wazuh-indexer'
+	option shards '1'
+	option replicas '0'
+
+config manager 'manager'
+	option cluster_enabled '0'
+	option cluster_name 'wazuh'
+	option node_name 'master'
+	option node_type 'master'
diff --git a/package/secubox/secubox-wazuh-manager/files/etc/init.d/wazuh-manager b/package/secubox/secubox-wazuh-manager/files/etc/init.d/wazuh-manager
new file mode 100644
index 00000000..8ea33b3b
--- /dev/null
+++ b/package/secubox/secubox-wazuh-manager/files/etc/init.d/wazuh-manager
@@ -0,0 +1,64 @@
+#!/bin/sh /etc/rc.common
+# Wazuh Manager LXC init script
+
+START=95
+STOP=10
+USE_PROCD=1
+
+CONTAINER_NAME="wazuh"
+LXC_PATH="/srv/lxc"
+
+start_service() {
+	local enabled
+	config_load wazuh-manager
+	config_get enabled main enabled '0'
+	config_get CONTAINER_NAME main container_name 'wazuh'
+	config_get LXC_PATH main lxc_path '/srv/lxc'
+
+	[ "$enabled" != "1" ] && return 0
+
+	# Check if container exists
+	if [ ! -d "$LXC_PATH/$CONTAINER_NAME/rootfs" ]; then
+		logger -t wazuh-manager "Container not installed. Run: wazuh-managerctl install"
+		return 1
+	fi
+
+	# Start container
+	if ! lxc-info -n "$CONTAINER_NAME" -s 2>/dev/null | grep -q RUNNING; then
+		lxc-start -n "$CONTAINER_NAME" -d
+		sleep 5
+		logger -t wazuh-manager "Wazuh Manager container started"
+	fi
+}
+
+stop_service() {
+	config_load wazuh-manager
+	config_get CONTAINER_NAME main container_name 'wazuh'
+
+	if lxc-info -n "$CONTAINER_NAME" -s 2>/dev/null | grep -q RUNNING; then
+		lxc-stop -n "$CONTAINER_NAME"
+		logger -t wazuh-manager "Wazuh Manager container stopped"
+	fi
+}
+
+reload_service() {
+	stop_service
+	sleep 2
+	start_service
+}
+
+service_triggers() {
+	procd_add_reload_trigger "wazuh-manager"
+}
+
+status() {
+	config_load wazuh-manager
+	config_get CONTAINER_NAME main container_name 'wazuh'
+
+	if lxc-info -n "$CONTAINER_NAME" -s 2>/dev/null | grep -q RUNNING; then
+		echo "Wazuh Manager: RUNNING"
+		lxc-info -n "$CONTAINER_NAME"
+	else
+		echo "Wazuh Manager: STOPPED"
+	fi
+}
diff --git a/package/secubox/secubox-wazuh-manager/files/usr/sbin/wazuh-managerctl b/package/secubox/secubox-wazuh-manager/files/usr/sbin/wazuh-managerctl
new file mode 100644
index 00000000..bd62324b
--- /dev/null
+++ b/package/secubox/secubox-wazuh-manager/files/usr/sbin/wazuh-managerctl
@@ -0,0 +1,595 @@
+#!/bin/bash
+# SecuBox Wazuh Manager Controller
+# Manages Wazuh SIEM stack in LXC container
+
+set -e
+
+WAZUH_VERSION="4.9.2"
+CONFIG="wazuh-manager"
+LXC_PATH="/srv/lxc"
+CONTAINER_NAME="wazuh"
+DATA_PATH="/srv/wazuh"
+
+. /lib/functions.sh
+
+log_info() { echo "[INFO] $*"; logger -t wazuh-manager "$*"; }
+log_warn() { echo "[WARN] $*" >&2; }
+log_error() { echo "[ERROR] $*" >&2; }
+
+uci_get() { uci -q get ${CONFIG}.$1; }
+uci_set() { uci set ${CONFIG}.$1="$2" && uci commit ${CONFIG}; }
+
+load_config() {
+	CONTAINER_NAME=$(uci_get main.container_name) || CONTAINER_NAME="wazuh"
+	LXC_PATH=$(uci_get main.lxc_path) || LXC_PATH="/srv/lxc"
+	DATA_PATH=$(uci_get main.data_path) || DATA_PATH="/srv/wazuh"
+}
+
+usage() {
+	cat <<'EOF'
+SecuBox Wazuh Manager Controller
+
+Usage: wazuh-managerctl <command> [options]
+
+Installation:
+  install                 Create and configure Wazuh LXC container
+  uninstall               Remove container and data
+  upgrade                 Upgrade Wazuh to latest version
+
+Service Control:
+  start                   Start Wazuh Manager container
+  stop                    Stop container
+  restart                 Restart container
+  status                  Show container and service status
+
+Configuration:
+  configure-haproxy       Add HAProxy vhost for dashboard
+  configure-firewall      Open required firewall ports
+  generate-certs          Generate SSL certificates
+  reset-password          Reset admin password
+
+Agent Management:
+  list-agents             List registered agents
+  agent-info <id>         Show agent details
+  remove-agent <id>       Remove agent
+
+API:
+  api-status              Check API status
+  api-token               Generate API token
+
+Logs & Monitoring:
+  logs [service]          Show logs (manager|indexer|dashboard)
+  alerts [n]              Show recent alerts
+  stats                   Show cluster statistics
+
+Shell:
+  shell                   Open shell in container
+  exec <cmd>              Execute command in container
+
+Examples:
+  wazuh-managerctl install
+  wazuh-managerctl start
+  wazuh-managerctl configure-haproxy
+  wazuh-managerctl list-agents
+EOF
+}
+
+# ===========================================
+# Container Management
+# ===========================================
+
+container_exists() {
+	[ -d "$LXC_PATH/$CONTAINER_NAME/rootfs" ]
+}
+
+container_running() {
+	lxc-info -n "$CONTAINER_NAME" -s 2>/dev/null | grep -q RUNNING
+}
+
+cmd_install() {
+	load_config
+
+	if container_exists; then
+		log_warn "Container already exists at $LXC_PATH/$CONTAINER_NAME"
+		return 0
+	fi
+
+	log_info "Installing Wazuh Manager v$WAZUH_VERSION..."
+	log_info "This may take 10-15 minutes..."
+
+	# Create directories
+	mkdir -p "$LXC_PATH/$CONTAINER_NAME"
+	mkdir -p "$DATA_PATH"/{indexer,manager,dashboard}
+
+	# Get network config
+	local ip_addr=$(uci_get network.ip_address) || ip_addr="192.168.255.50"
+	local gateway=$(uci_get network.gateway) || gateway="192.168.255.1"
+	local bridge=$(uci_get network.bridge) || bridge="br-lan"
+
+	# Create LXC config
+	cat > "$LXC_PATH/$CONTAINER_NAME/config" <<LXCCONF
+# Wazuh Manager LXC Configuration
+lxc.uts.name = $CONTAINER_NAME
+lxc.arch = linux64
+
+# Root filesystem
+lxc.rootfs.path = dir:$LXC_PATH/$CONTAINER_NAME/rootfs
+
+# Network
+lxc.net.0.type = veth
+lxc.net.0.link = $bridge
+lxc.net.0.flags = up
+lxc.net.0.ipv4.address = $ip_addr/24
+lxc.net.0.ipv4.gateway = $gateway
+lxc.net.0.name = eth0
+
+# Capabilities
+lxc.cap.drop = sys_admin
+
+# Mounts
+lxc.mount.auto = proc:mixed sys:ro
+lxc.mount.entry = $DATA_PATH/indexer var/lib/wazuh-indexer none bind,create=dir 0 0
+lxc.mount.entry = $DATA_PATH/manager var/ossec none bind,create=dir 0 0
+
+# cgroup v2
+lxc.cgroup2.devices.allow = c 1:3 rwm
+lxc.cgroup2.devices.allow = c 1:5 rwm
+lxc.cgroup2.devices.allow = c 1:7 rwm
+lxc.cgroup2.devices.allow = c 1:8 rwm
+lxc.cgroup2.devices.allow = c 1:9 rwm
+lxc.cgroup2.devices.allow = c 5:0 rwm
+lxc.cgroup2.devices.allow = c 5:1 rwm
+lxc.cgroup2.devices.allow = c 5:2 rwm
+lxc.cgroup2.devices.allow = c 136:* rwm
+
+lxc.tty.max = 4
+lxc.pty.max = 128
+LXCCONF
+
+	# Download Debian base image
+	log_info "Downloading Debian 12 (Bookworm) base image..."
+	local rootfs="$LXC_PATH/$CONTAINER_NAME/rootfs"
+	mkdir -p "$rootfs"
+
+	# Use debootstrap if available, otherwise download tarball
+	if command -v debootstrap >/dev/null 2>&1; then
+		debootstrap --arch=arm64 bookworm "$rootfs" http://deb.debian.org/debian
+	else
+		# Download pre-built rootfs
+		local rootfs_url="https://images.linuxcontainers.org/images/debian/bookworm/arm64/default"
+		curl -fsSL "$rootfs_url/rootfs.tar.xz" | tar -xJf - -C "$rootfs" || {
+			log_error "Failed to download rootfs"
+			return 1
+		}
+	fi
+
+	# Configure container
+	log_info "Configuring container..."
+
+	# Set hostname
+	echo "$CONTAINER_NAME" > "$rootfs/etc/hostname"
+
+	# Configure DNS
+	cat > "$rootfs/etc/resolv.conf" <<DNS
+nameserver $gateway
+nameserver 8.8.8.8
+DNS
+
+	# Create Wazuh install script
+	cat > "$rootfs/root/install-wazuh.sh" <<'INSTALL'
+#!/bin/bash
+set -e
+
+echo "Installing Wazuh components..."
+
+# Install dependencies
+apt-get update
+apt-get install -y curl apt-transport-https gnupg2 lsb-release
+
+# Add Wazuh repository
+curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor -o /usr/share/keyrings/wazuh.gpg
+echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt stable main" > /etc/apt/sources.list.d/wazuh.list
+apt-get update
+
+# Install Wazuh Indexer
+echo "Installing Wazuh Indexer..."
+apt-get install -y wazuh-indexer
+
+# Configure indexer
+cat > /etc/wazuh-indexer/opensearch.yml <<EOF
+network.host: 0.0.0.0
+node.name: wazuh-indexer
+cluster.name: wazuh-cluster
+cluster.initial_cluster_manager_nodes: ["wazuh-indexer"]
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+plugins.security.disabled: true
+EOF
+
+# Start indexer
+systemctl enable wazuh-indexer
+systemctl start wazuh-indexer
+
+# Install Wazuh Manager
+echo "Installing Wazuh Manager..."
+apt-get install -y wazuh-manager
+
+# Start manager
+systemctl enable wazuh-manager
+systemctl start wazuh-manager
+
+# Install Wazuh Dashboard
+echo "Installing Wazuh Dashboard..."
+apt-get install -y wazuh-dashboard
+
+# Configure dashboard
+cat > /etc/wazuh-dashboard/opensearch_dashboards.yml <<EOF
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: ["http://localhost:9200"]
+opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: false
+EOF
+
+# Start dashboard
+systemctl enable wazuh-dashboard
+systemctl start wazuh-dashboard
+
+echo "Wazuh installation complete!"
+echo "Dashboard: http://localhost:5601"
+echo "Default credentials: admin / admin"
+INSTALL
+
+	chmod +x "$rootfs/root/install-wazuh.sh"
+
+	# Start container and run install
+	log_info "Starting container..."
+	lxc-start -n "$CONTAINER_NAME" -d
+	sleep 10
+
+	log_info "Running Wazuh installation inside container..."
+	log_info "This will take several minutes..."
+	lxc-attach -n "$CONTAINER_NAME" -- /root/install-wazuh.sh || {
+		log_warn "Installation may have partially failed. Check logs."
+	}
+
+	log_info "Wazuh Manager installed successfully!"
+	log_info ""
+	log_info "Container IP: $ip_addr"
+	log_info "Dashboard: http://$ip_addr:5601"
+	log_info "API: https://$ip_addr:55000"
+	log_info ""
+	log_info "Next steps:"
+	log_info "  wazuh-managerctl configure-haproxy"
+	log_info "  wazuh-managerctl status"
+}
+
+cmd_uninstall() {
+	load_config
+
+	log_warn "This will remove the Wazuh container and all data!"
+	echo -n "Continue? [y/N] "
+	read -r confirm
+	[ "$confirm" != "y" ] && return 0
+
+	# Stop container
+	container_running && lxc-stop -n "$CONTAINER_NAME"
+
+	# Remove container
+	rm -rf "$LXC_PATH/$CONTAINER_NAME"
+
+	# Optionally remove data
+	echo -n "Remove data at $DATA_PATH? [y/N] "
+	read -r confirm_data
+	[ "$confirm_data" = "y" ] && rm -rf "$DATA_PATH"
+
+	log_info "Wazuh Manager uninstalled"
+}
+
+# ===========================================
+# Service Control
+# ===========================================
+
+cmd_start() {
+	load_config
+
+	if ! container_exists; then
+		log_error "Container not installed. Run: wazuh-managerctl install"
+		return 1
+	fi
+
+	if container_running; then
+		log_info "Container already running"
+		return 0
+	fi
+
+	uci_set main.enabled "1"
+	lxc-start -n "$CONTAINER_NAME" -d
+	sleep 5
+	log_info "Wazuh Manager started"
+
+	# Show access info
+	local ip_addr=$(uci_get network.ip_address)
+	log_info "Dashboard: http://$ip_addr:5601"
+}
+
+cmd_stop() {
+	load_config
+
+	if container_running; then
+		lxc-stop -n "$CONTAINER_NAME"
+		log_info "Wazuh Manager stopped"
+	else
+		log_info "Container not running"
+	fi
+}
+
+cmd_restart() {
+	cmd_stop
+	sleep 3
+	cmd_start
+}
+
+cmd_status() {
+	load_config
+
+	echo "=== Wazuh Manager Status ==="
+	echo ""
+
+	local ip_addr=$(uci_get network.ip_address)
+
+	if container_running; then
+		echo "Container: RUNNING"
+		echo "IP Address: $ip_addr"
+		echo ""
+
+		echo "Services:"
+		lxc-attach -n "$CONTAINER_NAME" -- systemctl is-active wazuh-manager 2>/dev/null && echo "  Manager: Running" || echo "  Manager: Stopped"
+		lxc-attach -n "$CONTAINER_NAME" -- systemctl is-active wazuh-indexer 2>/dev/null && echo "  Indexer: Running" || echo "  Indexer: Stopped"
+		lxc-attach -n "$CONTAINER_NAME" -- systemctl is-active wazuh-dashboard 2>/dev/null && echo "  Dashboard: Running" || echo "  Dashboard: Stopped"
+
+		echo ""
+		echo "Access:"
+		echo "  Dashboard: http://$ip_addr:5601"
+		echo "  API: https://$ip_addr:55000"
+	else
+		echo "Container: STOPPED"
+	fi
+}
+
+# ===========================================
+# Configuration
+# ===========================================
+
+cmd_configure_haproxy() {
+	load_config
+
+	local domain=$(uci_get haproxy.domain) || domain="wazuh.gk2.secubox.in"
+	local ip_addr=$(uci_get network.ip_address)
+	local dashboard_port=$(uci_get ports.dashboard) || dashboard_port="5601"
+
+	log_info "Configuring HAProxy for $domain..."
+
+	# Create backend
+	uci set haproxy.wazuh_dashboard=backend
+	uci set haproxy.wazuh_dashboard.name="wazuh_dashboard"
+	uci set haproxy.wazuh_dashboard.mode="http"
+	uci set haproxy.wazuh_dashboard.balance="roundrobin"
+	uci set haproxy.wazuh_dashboard.enabled="1"
+
+	# Create server
+	uci set haproxy.wazuh_dashboard_srv=server
+	uci set haproxy.wazuh_dashboard_srv.backend="wazuh_dashboard"
+	uci set haproxy.wazuh_dashboard_srv.name="srv"
+	uci set haproxy.wazuh_dashboard_srv.address="$ip_addr"
+	uci set haproxy.wazuh_dashboard_srv.port="$dashboard_port"
+	uci set haproxy.wazuh_dashboard_srv.weight="100"
+	uci set haproxy.wazuh_dashboard_srv.check="1"
+	uci set haproxy.wazuh_dashboard_srv.enabled="1"
+
+	# Create vhost
+	local vhost_name=$(echo "$domain" | tr '.-' '_')
+	uci set haproxy.${vhost_name}=vhost
+	uci set haproxy.${vhost_name}.domain="$domain"
+	uci set haproxy.${vhost_name}.backend="wazuh_dashboard"
+	uci set haproxy.${vhost_name}.ssl="1"
+	uci set haproxy.${vhost_name}.ssl_redirect="1"
+	uci set haproxy.${vhost_name}.waf_bypass="1"
+	uci set haproxy.${vhost_name}.enabled="1"
+
+	uci commit haproxy
+
+	# Add to mitmproxy routes
+	if [ -f /srv/mitmproxy-in/haproxy-routes.json ]; then
+		python3 -c "
+import json
+with open('/srv/mitmproxy-in/haproxy-routes.json') as f:
+    data = json.load(f)
+data['$domain'] = ['$ip_addr', $dashboard_port]
+with open('/srv/mitmproxy-in/haproxy-routes.json', 'w') as f:
+    json.dump(data, f, indent=2)
+" 2>/dev/null
+	fi
+
+	# Regenerate HAProxy config
+	haproxyctl generate 2>/dev/null
+	haproxyctl reload 2>/dev/null
+
+	log_info "HAProxy configured: https://$domain"
+}
+
+cmd_configure_firewall() {
+	load_config
+
+	local ip_addr=$(uci_get network.ip_address)
+
+	log_info "Configuring firewall rules..."
+
+	# Agent registration (1514 TCP/UDP)
+	# API (55000)
+	# These ports need to be accessible from agents
+
+	cat >> /etc/firewall.user <<FIREWALL
+# Wazuh Manager ports
+iptables -t nat -A PREROUTING -p tcp --dport 1514 -j DNAT --to-destination $ip_addr:1514
+iptables -t nat -A PREROUTING -p udp --dport 1514 -j DNAT --to-destination $ip_addr:1514
+iptables -t nat -A PREROUTING -p tcp --dport 1515 -j DNAT --to-destination $ip_addr:1515
+iptables -t nat -A PREROUTING -p tcp --dport 55000 -j DNAT --to-destination $ip_addr:55000
+FIREWALL
+
+	/etc/init.d/firewall reload
+
+	log_info "Firewall configured for Wazuh ports"
+}
+
+# ===========================================
+# Agent Management
+# ===========================================
+
+cmd_list_agents() {
+	load_config
+
+	if ! container_running; then
+		log_error "Container not running"
+		return 1
+	fi
+
+	lxc-attach -n "$CONTAINER_NAME" -- /var/ossec/bin/agent_control -l
+}
+
+cmd_agent_info() {
+	load_config
+	local agent_id="$1"
+	[ -z "$agent_id" ] && { log_error "Agent ID required"; return 1; }
+
+	lxc-attach -n "$CONTAINER_NAME" -- /var/ossec/bin/agent_control -i "$agent_id"
+}
+
+cmd_remove_agent() {
+	load_config
+	local agent_id="$1"
+	[ -z "$agent_id" ] && { log_error "Agent ID required"; return 1; }
+
+	lxc-attach -n "$CONTAINER_NAME" -- /var/ossec/bin/manage_agents -r "$agent_id"
+}
+
+# ===========================================
+# API
+# ===========================================
+
+cmd_api_status() {
+	load_config
+	local ip_addr=$(uci_get network.ip_address)
+
+	curl -sk "https://$ip_addr:55000/" 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "API not responding"
+}
+
+cmd_api_token() {
+	load_config
+	local ip_addr=$(uci_get network.ip_address)
+
+	log_info "Getting API token..."
+	curl -sk -X POST "https://$ip_addr:55000/security/user/authenticate" \
+		-H "Content-Type: application/json" \
+		-u "wazuh:wazuh" 2>/dev/null | python3 -m json.tool
+}
+
+# ===========================================
+# Logs & Monitoring
+# ===========================================
+
+cmd_logs() {
+	load_config
+	local service="${1:-manager}"
+
+	case "$service" in
+		manager)
+			lxc-attach -n "$CONTAINER_NAME" -- tail -100 /var/ossec/logs/ossec.log
+			;;
+		indexer)
+			lxc-attach -n "$CONTAINER_NAME" -- tail -100 /var/log/wazuh-indexer/wazuh-cluster.log
+			;;
+		dashboard)
+			lxc-attach -n "$CONTAINER_NAME" -- journalctl -u wazuh-dashboard -n 100
+			;;
+		*)
+			log_error "Unknown service: $service (manager|indexer|dashboard)"
+			;;
+	esac
+}
+
+cmd_alerts() {
+	load_config
+	local count="${1:-20}"
+
+	lxc-attach -n "$CONTAINER_NAME" -- tail -n "$count" /var/ossec/logs/alerts/alerts.json | \
+		python3 -m json.tool 2>/dev/null || \
+		lxc-attach -n "$CONTAINER_NAME" -- tail -n "$count" /var/ossec/logs/alerts/alerts.json
+}
+
+cmd_stats() {
+	load_config
+
+	echo "=== Wazuh Cluster Statistics ==="
+	lxc-attach -n "$CONTAINER_NAME" -- /var/ossec/bin/cluster_control -l 2>/dev/null || echo "Single-node deployment"
+	echo ""
+	echo "=== Agent Statistics ==="
+	lxc-attach -n "$CONTAINER_NAME" -- /var/ossec/bin/agent_control -l | head -20
+}
+
+# ===========================================
+# Shell Access
+# ===========================================
+
+cmd_shell() {
+	load_config
+
+	if ! container_running; then
+		log_error "Container not running"
+		return 1
+	fi
+
+	lxc-attach -n "$CONTAINER_NAME" -- /bin/bash
+}
+
+cmd_exec() {
+	load_config
+	shift
+
+	if ! container_running; then
+		log_error "Container not running"
+		return 1
+	fi
+
+	lxc-attach -n "$CONTAINER_NAME" -- "$@"
+}
+
+# ===========================================
+# Main
+# ===========================================
+
+case "$1" in
+	install)             cmd_install ;;
+	uninstall)           cmd_uninstall ;;
+	upgrade)             cmd_uninstall && cmd_install ;;
+	start)               cmd_start ;;
+	stop)                cmd_stop ;;
+	restart)             cmd_restart ;;
+	status)              cmd_status ;;
+	configure-haproxy)   cmd_configure_haproxy ;;
+	configure-firewall)  cmd_configure_firewall ;;
+	list-agents)         cmd_list_agents ;;
+	agent-info)          shift; cmd_agent_info "$@" ;;
+	remove-agent)        shift; cmd_remove_agent "$@" ;;
+	api-status)          cmd_api_status ;;
+	api-token)           cmd_api_token ;;
+	logs)                shift; cmd_logs "$@" ;;
+	alerts)              shift; cmd_alerts "$@" ;;
+	stats)               cmd_stats ;;
+	shell)               cmd_shell ;;
+	exec)                cmd_exec "$@" ;;
+	-h|--help|help|"")   usage ;;
+	*)                   log_error "Unknown command: $1"; usage; exit 1 ;;
+esac