Install Wazuh server from sources

This guide describes how to install the manager and API from source code. In addition, for distributed architectures, you will find some guidance on how to install Filebeat.


Many of the commands described below need to be executed with root user privileges.

Installing Wazuh manager

  1. Install development tools and compilers. In Linux this can easily be done using your distribution's package manager:

  1. For RPM-based distributions:

# yum install make gcc git
  1. For Debian-based distributions:

# apt-get install gcc make git libc6-dev curl
  1. Download and extract the latest version:

$ curl -Ls | tar zx
  1. Run the script, this will display a wizard that will guide you through the installation process using the Wazuh sources:

# cd wazuh-*
# ./
  1. The script will ask about what kind of installation you want. Type manager to install Wazuh Manager:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager
  1. The installer asks if you want to start Wazuh at the end of the installation. If you have chosen not to start automatically, you can do it with:

# /var/ossec/bin/ossec-control start

If you want to check that it has started

$ /var/ossec/bin/ossec-control status

Installing Wazuh API

  1. NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend you add the official repository as this has more recent versions.

  1. For RPM-based distributions:

# curl --silent --location | bash -
# yum -y install nodejs
  1. For Debian-based distributions:

# curl -sL | sudo -E bash -
# apt-get install -y nodejs
  1. Download and execute the installation script:

# curl -s -o && bash ./ download
  1. Python >= 2.7 is required in order to run the API. It is installed by default or included in the official repositories of most Linux distributions. It is possible to set a custom Python path for the API to use, in /var/ossec/api/configuration/config.js:

config.python = [
    // Default installation
        bin: "python",
        lib: ""
    // Package 'python27' for CentOS 6
        bin: "/opt/rh/python27/root/usr/bin/python",
        lib: "/opt/rh/python27/root/usr/lib64"

CentOS 6 and Red Hat 6 come with Python 2.6, you can install Python 2.7 in parallel maintaining older version:

  1. For CentOS 6:

# yum install -y centos-release-scl
# yum install -y python27
  1. For RHEL 6:

# yum install python27

You may need to first enable a repository in order to get python27, with a command like this:

#   yum-config-manager --enable rhui-REGION-rhel-server-rhscl
#   yum-config-manager --enable rhel-server-rhscl-6-rpms


You can also run an unattended installation for the Wazuh manager and API.

Installing Filebeat

While Filebeat can be installed from source (see this doc), the process is more complex than you may like, and it is beyond the scope of Wazuh documentation. We recommend installing Filebeat via repository package, otherwise, you can install it from a binary tarball, that's should work for any Linux distro. See more here.


In a single-host architecture (where Wazuh server and Elastic Stack are installed in the same system), you may entirely skip installing Filebeat, since Logstash will be able to read the event/alert data directly from the local filesystem without the assistance of a forwarder.

Next steps

Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install Elastic Stack.