Setting up Wazuh involves the installation of two central components: the Wazuh server and Elastic Stack. In addition, Wazuh agents are deployed to the monitored hosts in your environment:
Wazuh server: Runs the Wazuh manager, API and Filebeat (Filebeat is only necessary in distributed architecture). It collects and analyzes data from deployed agents.
Elastic Stack: Runs the Elasticsearch engine, Logstash server and Kibana (including the Wazuh App). It reads, parses, indexes, and stores alert data generated by the Wazuh server.
Wazuh agent: Runs on the monitored host, collecting system log and configuration data and detecting intrusions and anomalies. It talks with the Wazuh server to which it forwards collected data for further analysis.
Distributed architectures run the Wazuh server and Elastic Stack cluster (one or more servers) on different hosts. Single-host architectures run the Wazuh server and Elastic Stack on the same system. This guide covers both installation options.
The diagrams below list the components that are run per host for single-host and distributed architectures.
Before installing the components, please confirm that the time synchronization service is configured and working on your servers. This is most commonly done with NTP. For more information, go to Debian/Ubuntu or CentOS/RHEL/Fedora.
- Installing Wazuh server
- Installing Elastic Stack
- Installing Splunk
- Installing Wazuh agent
- Optional configurations
- Upgrading Wazuh
- Virtual Machine
- Packages List
- Compatibility matrix