Installation guide

This document will guide you through the Wazuh installation process. For interactive help, our email forum is available. You can subscribe to this forum by sending an email to Wazuh subscribe.

Setting up Wazuh involves the installation of two central components: the Wazuh server and Elastic Stack. In addition, Wazuh agents are deployed to the monitored hosts in your environment:

  • Wazuh server: Runs the Wazuh manager and API. It collects and analyzes data from deployed agents.

  • Elastic Stack: Runs the Elasticsearch engine, Filebeat and Kibana (including the Wazuh app). It reads, parses, indexes, and stores alert data generated by the Wazuh manager.

  • Wazuh agent: Runs on the monitored host, collecting system log and configuration data and detecting intrusions and anomalies. It talks with the Wazuh manager to which it forwards collected data for further analysis.

Distributed architectures run the Wazuh manager and Elastic Stack cluster (one or more servers) on different hosts. Single-host architectures run the Wazuh manager and Elastic Stack on the same system. This guide covers both installation options.

The diagrams below list the components that are run per host for single-host and distributed architectures.

Single-host architecture:

Distributed architecture:


Before installing the components, please confirm that the time synchronization service is configured and working on your servers. This is most commonly done with NTP. For more information, go to Debian/Ubuntu or CentOS/RHEL/Fedora.