Install Wazuh server from sources

This guide describes how to install the manager and API from source code. In addition, for distributed architectures, you will find some guidance on how to install Filebeat.


Many of the commands described below need to be executed with root user privileges.

Installing Wazuh manager

  1. Install development tools and compilers. In Linux this can easily be done using your distribution’s package manager:

  1. For RPM-based distributions:

$ sudo yum install make gcc git

# If you want to use Auth, also install:
$ sudo yum install openssl-devel
  1. For Debian-based distributions:

$ sudo apt-get install gcc make git libc6-dev curl

# If you want to use Auth, also install:
$ sudo apt-get install libssl-dev
  1. Download and extract the latest version:

$ curl -Ls | tar zx
  1. Run the script, this will display a wizard that will guide you through the installation process using the Wazuh sources:

$ cd wazuh-*
$ sudo ./
  1. The script will ask about what kind of installation you want. Type server to install Wazuh Manager:

1- What kind of installation do you want (server, agent, local, hybrid or help)? server
  1. Start the services using this command:

$ sudo /var/ossec/bin/ossec-control start

Installing Wazuh API

  1. NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend you add the official repository as this has more recent versions.

  1. For RPM-based distributions:

$ curl --silent --location | bash -
$ sudo yum -y install nodejs
  1. For Debian-based distributions:

$ curl -sL | sudo -E bash -
$ sudo apt-get install -y nodejs
  1. Download and execute the installation script:

$ curl -s -o && bash ./ download
  1. Python >= 2.7 is required in order to run the API. It is installed by default or included in the official repositories of most Linux distributions. It is possible to set a custom Python path for the API to use, in /var/ossec/api/configuration/config.js:

config.python = [
    // Default installation
        bin: "python",
        lib: ""
    // Package 'python27' for CentOS 6
        bin: "/opt/rh/python27/root/usr/bin/python",
        lib: "/opt/rh/python27/root/usr/lib64"

CentOS 6 and Red Hat 6 come with Python 2.6, you can install Python 2.7 in parallel maintaining older version:

  1. For CentOS 6:

$ sudo yum install -y centos-release-scl
$ sudo yum install -y python27
  1. For RHEL 6:

$ sudo yum install python27

# You may need to first enable a repository in order to get python27, with a command like this:
#   sudo yum-config-manager --enable rhui-REGION-rhel-server-rhscl
#   sudo yum-config-manager --enable rhel-server-rhscl-6-rpms


You can also run an unattended installation of the Wazuh manager and API.

Installing Filebeat

While Filebeat can be installed from source (see this doc), the process is more complex than you may like, and it is beyond the scope of Wazuh documentation. We recommend installing Filebeat via repository package, otherwise, you can install it from a binary tarball, that’s should work for any Linux distro. See more here.


In a single-host architecture (where Wazuh server and Elastic Stack are installed in the same system), you may entirely skip installing Filebeat, since Logstash will be able to read the event/alert data directly from the local filesystem without the assistance of a forwarder.

Next steps

Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install Elastic Stack.