Objective: Wazuh component and architecture
Wazuh Deployment Guide
The hardware requirements for your Wazuh deployment depend on the number of protected endpoints and cloud workloads. The following table outlines the recommended hardware specifications based on the number of agents:
For a quickstart deployment monitoring up to 100 endpoints for 90 days, it is recommended to deploy the Wazuh server, Wazuh indexer, and Wazuh dashboard on the same host.
For larger environments, Wazuh recommends a distributed deployment with a multi-node cluster configuration for the Wazuh server and indexer, providing high availability and load balancing.
Wazuh central components can be installed on a 64-bit Linux operating system. The following operating system versions are recommended:
Amazon Linux 2
CentOS 7, 8
Red Hat Enterprise Linux 7, 8, 9
Ubuntu 16.04, 18.04, 20.04, 22.04
The Wazuh dashboard is compatible with the following web browsers:
Chrome 95 or later
Firefox 93 or later
Safari 13.7 or later
Chromium-based browsers might also work, but Internet Explorer 11 is not supported.
To install Wazuh, follow these steps:
1. Download and run the Wazuh installation assistant using the following command:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
2. Once the installation assistant completes the installation, the output will display access credentials and a confirmation message indicating a successful installation.
INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>
INFO: Installation finished.
3. Access the Wazuh web interface using the provided URL (https://) and login credentials:
- Username: admin
- Password: <ADMIN_PASSWORD>
Congratulations! You have successfully installed and configured Wazuh.
There is a three-main component in wazuh.
- Wazuh server
- Wazuh indexer
- Wazuh dashboard
How can install wazuh at server Side:
The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability.
Wazuh uses four different indices to store different event types:
wazuh‑alerts: Stores alerts generated by the Wazuh server. These are created each time an event trips a rule with a high enough priority (this threshold is configurable).
wazuh‑archives: Stores all events (archive data) received by the Wazuh server, whether or not they trip a rule.
wazuh‑monitoring: Stores data related to the Wazuh agent status over time. It is used by the web interface to represent when individual agents are or have been Active, Disconnected, or Never connected.
wazuh‑statistics: Stores data related to the Wazuh server performance. It is used by the web interface to represent the performance statistics.
The Wazuh server component analyzes the data received from the agents, triggering alerts when threats or anomalies are detected. It is also used to manage the agents configuration remotely and monitor their status.
The Wazuh dashboard is a flexible and intuitive web user interface for mining, analyzing, and visualizing security events and alerts data.
The Wazuh agent runs on Linux, Windows, macOS, Solaris, AIX, and other operating systems. It can be deployed to laptops, desktops, servers, cloud instances, containers, or virtual machines.