Setting up Wazuh involves the installation of two central components: the Wazuh server and Elastic Stack. In addition, Wazuh agents are deployed to the monitored hosts in your environment:
Wazuh server: Runs the Wazuh manager and API. It collects and analyzes data from deployed agents.
Elastic Stack: Runs the Elasticsearch engine, Filebeat and Kibana (including the Wazuh app). It reads, parses, indexes, and stores alert data generated by the Wazuh manager.
Wazuh agent: Runs on the monitored host, collecting system log and configuration data and detecting intrusions and anomalies. It talks with the Wazuh manager to which it forwards collected data for further analysis.
Distributed architectures run the Wazuh manager and Elastic Stack cluster (one or more servers) on different hosts. Single-host architectures run the Wazuh manager and Elastic Stack on the same system. This guide covers both installation options.
The diagrams below list the components that are run per host for single-host and distributed architectures.