Setting up Wazuh involves the installation of two central components: the Wazuh server and Elastic Stack. In addition, Wazuh agents are deployed to the monitored hosts in your environment:
- Wazuh server: Runs the Wazuh manager and API. It collects and analyzes data from deployed agents.
- Elastic Stack: Runs the Elasticsearch engine, Filebeat and Kibana (including the Wazuh app). It reads, parses, indexes, and stores alert data generated by the Wazuh manager.
- Wazuh agent: Runs on the monitored host, collecting system log and configuration data and detecting intrusions and anomalies. It talks with the Wazuh manager to which it forwards collected data for further analysis.
Distributed architectures run the Wazuh manager and Elastic Stack cluster (one or more servers) on different hosts. Single-host architectures run the Wazuh manager and Elastic Stack on the same system. This guide covers both installation options.
The diagrams below list the components that are run per host for single-host and distributed architectures.
Before installing the components, please confirm that the time synchronization service is configured and working on your servers. This is most commonly done with NTP. For more information, go to Debian/Ubuntu or CentOS/RHEL/Fedora.
- Installing Wazuh server
- Installing Elastic Stack
- Installing Wazuh agent
- Installing Splunk
- Install Splunk in single-instance mode
- Installing & Configuring Splunk Cluster
- Install the Wazuh app for Splunk
- Install and configure Splunk Forwarder
- Setting up reverse proxy configuration for Splunk
- Customize agents status indexation
- Virtual machine
- Packages list
- Compatibility matrix
- Securing the Wazuh API