Install Wazuh server from sources

This guide describes how to install the manager and API from source code. In addition, for distributed architectures, you will find some guidance on how to install Filebeat.


Many of the commands described below need to be executed with root user privileges.

Installing Wazuh manager

  1. Install the development tools and compilers. In Linux, this can easily be done using your distribution's package manager:

  1. For RPM-based distributions:

# yum install make gcc policycoreutils-python automake autoconf libtool
  1. For Debian-based distributions:

# apt-get install python gcc make libc6-dev curl policycoreutils automake autoconf libtool
  1. Download and extract the latest version:

# curl -Ls | tar zx
  1. Run the script. This will display a wizard to guide you through the installation process using the Wazuh sources:


If you want to enable the database output, check out this section before running the installation script.

# cd wazuh-*
# ./


Since Wazuh 3.5 it is necessary to have internet connection when following this step.

  1. When the script asks what kind of installation you want, type manager to install the Wazuh Manager:

1- What kind of installation do you want (manager, agent, local, hybrid or help)? manager
  1. The installer asks if you want to start Wazuh at the end of the installation. If you chosen not to, you can start it later with:

  1. For Systemd:

# systemctl start wazuh-manager
  1. For SysV Init:

# service wazuh-manager start

If you want to confirm that it started:

  1. For Systemd:

# systemctl status wazuh-manager
  1. For SysV Init:

# service wazuh-manager status

Installing Wazuh API

  1. NodeJS >= 4.6.1 is required in order to run the Wazuh API. If you do not have NodeJS installed or your version is older than 4.6.1, we recommend you add the official repository as this has more recent versions.

  1. For RPM-based distributions:

# curl --silent --location | bash -
# yum -y install nodejs
  1. For Debian-based distributions:

# curl -sL | sudo -E bash -
# apt-get install -y nodejs


If you are using Ubuntu 12.04 (Precise) or Debian 7 (Wheezy) you must install NodeJS 6 using the command below: # curl -sL | bash -

For more information, see the Official guide to install NodeJS.

  1. Download and execute the installation script:

# curl -s -o && bash ./ download
  1. Python >= 2.7 is required in order to run the API. It is installed by default or included in the official repositories of most Linux distributions.

It is possible to set a custom Python path for the API in /var/ossec/api/configuration/config.js, in case the stock version of Python in your distro is too old:

config.python = [
    // Default installation
        bin: "python",
        lib: ""
    // Package 'python27' for CentOS 6
        bin: "/opt/rh/python27/root/usr/bin/python",
        lib: "/opt/rh/python27/root/usr/lib64"

CentOS 6 and Red Hat 6 come with Python 2.6, however, you can install Python 2.7 in parallel and still maintain the older version(s):

  1. For CentOS 6:

# yum install -y centos-release-scl
# yum install -y python27
  1. For RHEL 6:

# yum install python27

You may need to first enable a repository in order to get python27, with a command like this:

#   yum-config-manager --enable rhui-REGION-rhel-server-rhscl
#   yum-config-manager --enable rhel-server-rhscl-6-rpms


You can also run an unattended installation for the Wazuh manager and API.

Installing Filebeat

While Filebeat can be installed from sources (see this doc), the process is more complex than you may like and it is beyond the scope of Wazuh documentation. We recommend installing Filebeat via repository package, otherwise, you can install it from a binary tarball that should work for any Linux distro. See more here.


In a single-host architecture (where Wazuh server and Elastic Stack are installed in the same system), the installation of Filebeat is not needed since Logstash will be able to read the event/alert data directly from the local filesystem without the assistance of a forwarder.

Next steps

Once you have installed the manager, API and Filebeat (only needed for distributed architectures), you are ready to install Elastic Stack.