How to Install Wazuh

Step 1: Review System Requirements

Wazuh can run as a single-server installation for smaller environments or as a distributed deployment across multiple servers for production use. The minimum hardware requirements depend on the number of agents and expected event volume.

For a single-server deployment handling up to 100 agents, allocate at least 4 CPU cores, 8 GB of RAM and 50 GB of storage. The storage requirement grows with retention period and event volume, so plan for approximately 2 GB per day per 100 agents for the indexed event data. For deployments exceeding 100 agents, separate the indexer onto its own server with additional RAM and fast SSD storage, as the indexer is the most resource-intensive component.

Supported operating systems for the central components include Amazon Linux 2, CentOS 7 and 8, Red Hat Enterprise Linux 7 through 9, Ubuntu 18.04 through 24.04, and Debian 10 through 12. The Wazuh agent supports a broader range, including Windows Server 2008 R2 through 2025, Windows 10 and 11, macOS 10.15 through 15, and most Linux distributions. Before proceeding, ensure your servers have stable network connectivity, a working DNS configuration and root or sudo access.

Step 2: Install the Wazuh Indexer

The Wazuh indexer is based on OpenSearch and provides the storage and search backend for all security events. It receives processed events from the Wazuh server, indexes them for fast search and aggregation, and serves data to the dashboard for visualization.

Wazuh provides an installation assistant script that handles certificate generation, package installation and initial configuration. Download the script and the configuration file from the Wazuh documentation site. The configuration file defines the nodes in your deployment, specifying hostnames or IP addresses for each indexer node, server node and dashboard node.

For a single-server deployment, all three components share the same IP address. Edit the configuration file to set the correct IP address or hostname for your server. The installation assistant generates SSL certificates for inter-component communication, ensuring that data transferred between the indexer, server and dashboard is encrypted.

Run the installation assistant with the indexer flag to install the OpenSearch-based indexer, configure its cluster settings, deploy the generated certificates and start the service. After installation, the indexer listens on port 9200 for REST API requests and port 9300 for inter-node communication. Verify the installation by checking the service status and running a test query against the REST API to confirm the indexer responds with cluster health information.

Step 3: Install the Wazuh Server

The Wazuh server, also called the Wazuh manager, is the central processing component. It receives events from agents and external log sources, decodes log entries into structured fields, matches decoded fields against detection rules and generates alerts when conditions are met. The server also manages agent registration, configuration distribution and active response actions.

Run the installation assistant with the server flag on the designated server node. The assistant installs the Wazuh manager package, configures the Filebeat module that ships events from the server to the indexer, deploys SSL certificates for secure communication and starts both the Wazuh manager and Filebeat services.

After installation, the Wazuh manager listens on port 1514 for agent event data and port 1515 for agent registration requests. Filebeat connects to the indexer on port 9200 to deliver processed events. Verify the installation by checking that both services are running, confirming the manager's API is accessible on port 55000, and reviewing the Filebeat logs to ensure events are flowing to the indexer.

The manager ships with a default configuration that includes over 3,000 detection rules, decoders for common log formats and active response scripts. These defaults provide immediate detection capability for most environments. Custom rules and decoders are added to separate files that persist across upgrades, keeping modifications isolated from the default rule set.

Step 4: Install the Wazuh Dashboard

The Wazuh dashboard provides the web interface for interacting with the platform. It displays security events, alert timelines, agent status, vulnerability reports, compliance assessments and system configuration through pre-built visualizations and interactive dashboards. It also provides management interfaces for agent enrollment, rule configuration and system settings.

Run the installation assistant with the dashboard flag on the designated node. The assistant installs the dashboard package based on OpenSearch Dashboards, configures it to connect to the indexer for data retrieval and the Wazuh manager API for management operations, deploys SSL certificates and starts the service.

After installation, the dashboard listens on port 443 by default, providing HTTPS access to the web interface. Open a browser and navigate to the server's IP address or hostname. The default login credentials are admin/admin, which you should change immediately through the dashboard's security settings. The initial view shows the security events overview with agent connection status, recent alerts and system health indicators.

Step 5: Deploy Wazuh Agents

Wazuh agents are lightweight processes installed on monitored endpoints that collect security data and forward it to the Wazuh server. Each agent monitors file integrity, collects system logs, runs vulnerability assessments, evaluates system configuration and detects rootkits on the host where it is installed.

Agent deployment can be initiated from the Wazuh dashboard or performed manually on each endpoint. The dashboard provides a deployment wizard that generates the correct installation command for each supported operating system, pre-configured with the server address and authentication credentials.

On Linux, agent installation uses the distribution's package manager. Add the Wazuh repository, install the wazuh-agent package, set the WAZUH_MANAGER environment variable to the server's IP address and start the agent service. The agent automatically registers with the server and begins forwarding events within seconds.

On Windows, download the MSI installer from the Wazuh documentation site or use the command generated by the dashboard wizard. The installer accepts the server address as a parameter, configures the agent and starts the service. The Windows agent monitors the Windows Event Log, including Security, System and Application channels, file integrity for critical system directories, and registry changes to sensitive keys.

On macOS, install the agent package, configure the server address in the agent configuration file and start the service. The macOS agent monitors system logs, file integrity, application installations and security-relevant configuration changes.

Step 6: Verify and Configure

After deploying agents, return to the Wazuh dashboard to confirm they appear in the agent list with an active status. Each agent should begin reporting events within minutes of connecting. The dashboard's Agents section shows detailed information about each agent, including operating system, IP address, agent version, last keep-alive timestamp and current status.

Review the Security Events dashboard to see initial alerts. Common early alerts include file integrity monitoring notifications for system updates, SSH authentication events on Linux servers, Windows logon events and configuration assessment findings. These alerts confirm that the detection pipeline is working end-to-end, from agent data collection through server processing to indexer storage and dashboard display.

Initial tuning focuses on reducing noise from expected events. If system updates regularly trigger file integrity alerts for package manager directories, create custom rules that either suppress or lower the severity of those specific events. If SSH brute-force detection rules fire on known management IP addresses, add those addresses to an exclusion list. The goal is to refine the alert stream so that security analysts can focus on events that genuinely require investigation.

Enable vulnerability detection by configuring the Wazuh manager to download CVE databases and enabling the vulnerability detector module. This module correlates installed software versions reported by agents against known CVEs, providing continuous visibility into unpatched vulnerabilities across every monitored endpoint without requiring separate scanning infrastructure.