Wazuh Manager

This role will install and configure Wazuh Manager and Wazuh API, there are several variables you can use to customize the installation or configuration, for example:

  • json_output: enabling or not JSON output (default: yes)

  • email_notification: enabling email notifications (default: no)

  • mail_to: email notifications recipients (array, defaults: admin@example.net)

  • mail_smtp_server: SMTP server to be used by email notifications ( defaults: localhost)

  • mail_from: email notification sender ( defaults: ossec@example.com)

By creating a YAML file wazuh-manager.yml you can be set the usage of this role:

- hosts: wazuh-manager
    - ansible-wazuh-manager
    - ansible-role-filebeat

Setting the variables on a separate YAML file is recommended when configuring the installation. For this example we used: vars-production.yml:

filebeat_output_logstash_hosts: ''

wazuh_manager_fqdn: "wazuh-server"

  json_output: 'yes'
  alerts_log: 'yes'
  logall: 'no'
  log_format: 'plain'
    - type: 'secure'
      port: '1514'
      protocol: 'tcp'
    enable: true
    port: 1515
    use_source_ip: 'no'
    force_insert: 'no'
    force_time: 0
    purge: 'no'
    use_password: 'no'
    ssl_agent_ca: null
    ssl_verify_host: 'no'
    ssl_manager_cert: null
    ssl_manager_key: null
    ssl_auto_negotiate: 'no'

You can configure Wazuh API user credentials, this could be done by setting the file: ansible-wazuh-manager/vars/wazuh_api_creds.yml located on your Ansible control server, the credentials are in htpasswd format:

# Be sure you encrypt this file with ansible-vault
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1

Also, you can configure agentless host credentials via the file: ansible-wazuh-manager/vars/agentless_creeds.yml, set many as you need:

# Be sure you encrypt this file with ansible-vault.
 - type: ssh_integrity_check_linux
   frequency: 3600
   host: root@example1.net
   state: periodic
   arguments: '/bin /etc/ /sbin'
   passwd: qwerty
 - type: ssh_integrity_check_bsd
   frequency: 3600
   host: user@example2.net
   state: periodic
   arguments: '/bin /etc/ /sbin'
   passwd: qwerty

And the authd service password could be set in the file ansible-wazuh-manager/vars/authd_pass.yml:

# Be sure you encrypt this file with ansible-vault
authd_pass: foobar


We recommend the use of Ansible Vault to protect Wazuh API and agentless credentials.

Next, run the playbook:

$ ansible-playbook wazuh-manager.yml -e@vars-production.yml

The example above will install Wazuh Manager and Filebeat, Filebeat will be configured to forward data to as Logstash node, also it will set various agentless hosts configurations including their credentials, the Wazuh API and the authd will be configured as well.

Please review the references section to see all variables available for this role.