Wazuh installation involves two central components, the Wazuh server, and Elastic Stack. In addition, Wazuh agents will need to be deployed to the monitored hosts in your environment:
- Wazuh server: Runs the Wazuh manager, API and Filebeat (only necessary in distributed architecture). Collects and analyzes data from deployed agents.
- Elastic Stack: Runs the Elasticsearch engine, Logstash server and Kibana (including the Wazuh App). It reads, parses, indexes, and stores alert data generated by the Wazuh server.
- Wazuh agent: Runs on the monitored host, collecting system log and configuration data, and detecting intrusions and anomalies. It talks with the Wazuh server, to which it forwards collected data for further analysis.
Distributed architectures do run the Wazuh server and Elastic Stack cluster (one or more servers) on different hosts. On the other hand, single-host architectures have Wazuh server and Elastic Stack installed in the same system. This guide covers both installation options.
The diagrams below list the components that are run per host, both for single-host and distributed architectures.
Before installing the components please confirm time synchronization service is configured and working on your servers. This is most commonly done with NTP. More info for Debian/Ubuntu and CentOS/RHEL/Fedora.