Install Wazuh app for Splunk

Wazuh app for Splunk offers a UI to visualize Wazuh alerts and Wazuh API data. Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.


  1. Download the latest Splunk app for Wazuh:

# curl -o SplunkAppForWazuh.tar.gz
  1. Install the Splunk app for Wazuh:

  1. CLI mode:

# /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
# /opt/splunk/bin/splunk restart
  1. Web GUI:

Apps -> Manage apps -> Install app from file

The app includes the indexes.conf file to create Wazuh indexes and the inputs.conf file to listen to forwarded data on port 9997.


If you installed Splunk using the distributed architecture, these two files are already configured on the search peer instances, and must be removed from the Wazuh app installation directory:

# rm -rf /opt/splunk/etc/apps/SplunkAppForWazuh/default/indexes.conf
# rm -rf /opt/splunk/etc/apps/SplunkAppForWazuh/default/inputs.conf
# /opt/splunk/bin/splunk restart
  1. Open Splunk in your desired browser and click on the Wazuh app icon:

  1. The app will redirect you to the Settings tab, where you need to fill in the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.

By default, the API port is 55000. The default username and password is foo:bar. It's possible to check the connection by pressing the Check connection button on each API entry. A successful message appears on the bottom right corner if the app can estabilish a connection.


You can get more information about how to set up the credentials at Securing the Wazuh API.

Now that you've finished installing Splunk app for Wazuh, you can install and setup Splunk forwarders on the next section.