Wazuh provides a pre-built virtual machine image (OVA) that you can directly import using VirtualBox (where installed) and other OVA compatible virtualization systems.
This VM only runs on 64-bit systems and is recommended for use in testing and small working environments. It can be a useful tool for proofs of concept and labs. Multi-node Wazuh and Elastic Stack clusters are usually a better fit for production environments where higher performance is required. This appliance use OSS versions of Elasticsearch, Filebeat and Kibana. Make sure to use the corresponding OSS packages for possible future upgrades.
Download the virtual appliance (OVA) which contains the following components:
Wazuh API 3.13.2
Elasticsearch OSS 7.9.1
Filebeat OSS 7.9.1
Kibana OSS 7.9.1
Wazuh Kibana plugin 3.13.2-7.9.1
Import the OVA in your virtualization platform and run the virtual machine. The root password is “wazuh” and the username/password for the Wazuh API is “foo/bar”.
Although you don’t need to change any Elastic Stack configuration settings, feel free to explore the options. You can find Elasticsearch installed in
/usr/share/elasticsearch. Similarly, Filebeat is installed in
/usr/share/filebeatand its configuration file is found in
In case of using VirtualBox, once the virtual machine is imported it may run into issues caused by time skew when VirtualBox synchronizes the time of the guest machine. To prevent this situation it is recommended to enable the
Hardware Clock in UTC Timeoption on the
Systemtab of the virtual machine’s settings.
The Wazuh manager and the Elastic Stack included in this virtual image are configured to work out of the box. The next step of the process is to deploy the Wazuh agents on the systems you intend to monitor. Once installed, connect them to your virtual appliance. More documentation can be found at:
By default the network interface type is bridge. The VM will try to get an IP address from the network’s DHCP server. Alternatively, a static IP address can be set by configuring the proper network files on the CentOS operating system that the virtual machine is based on.
You can start and stop wazuh-manager, wazuh-api, elasticsearch, filebeat, and kibana with the ‘systemctl’ command. For example:
# systemctl restart wazuh-manager # systemctl restart wazuh-api # systemctl stop elasticsearch # systemctl start filebeat # systemctl status kibana
In order to connect to the Kibana web user interface, login with
OVA_IP_ADDRESSis your system IP).
If you need further information, check out our article on how to update your OVA virtual machine. We also recommend updating the repositories using the