Architecture
The Wazuh architecture is composed of a multi-platform Wazuh agent and three central components: the Wazuh manager, the Wazuh indexer, and the Wazuh dashboard.
The Wazuh agent is deployed on endpoints to collect and forward security data to the Wazuh manager, where it is transformed and enriched.
The Wazuh manager transforms data received from Wazuh agents into standardized schema documents. It decodes and enriches the data with threat intelligence, then forwards the processed output to the Wazuh indexer and other configured destinations.
The Wazuh indexer is a highly scalable, full-text search and analytics engine. It serves as the central data store for the Wazuh platform, indexing and storing security alerts, events, vulnerability data, and system inventory generated by Wazuh agents. The Wazuh indexer includes a set of purpose-built plugins that provide access control, reporting, and content management capabilities including rules, decoders, integrations, key-value databases (KVDBs), and Indicators of Compromise (IoCs). It provides near real-time search and analytics capabilities, enabling security teams to investigate threats, monitor compliance, and gain visibility into their infrastructure.
The Wazuh dashboard queries the indexed data from the Wazuh indexer. It provides the user interface for configuring the Wazuh manager and visualizing analyzed security data. It also supports the management of the Wazuh agent configuration, health status, notifications, and alerting integrations.
Wazuh also supports agentless monitoring for systems and devices where installing the Wazuh agent is not possible. Network devices such as firewalls, switches, routers, and access points can actively forward log data via SSH or via an API.
The Wazuh central components can be deployed in different ways, depending on scalability and availability needs:
All-in-one deployment: All Wazuh components (manager, indexer, and dashboard) are installed on a single server. This deployment is best suited for labs and small environments with a limited number of monitored endpoints.
Single-node deployment: The Wazuh manager, Wazuh indexer, and Wazuh dashboard are each deployed on separate servers. Recommended for medium environments that require higher performance than an all-in-one setup.
Multi-node deployment: Typically, one instance of the Wazuh dashboard and multiple instances of the Wazuh manager (Wazuh manager cluster) and indexer (Wazuh indexer cluster) are deployed on their individual servers, respectively. The number of instances varies depending on your needs. This deployment is recommended for large environments with high event throughput, or when fault tolerance and high availability are required.
Visit the installation guide to learn how to deploy the Wazuh central components and the Wazuh agent.
The diagram below represents a Wazuh deployment architecture. It shows how the Wazuh manager and the Wazuh indexer nodes can be configured as clusters, providing load balancing and high availability.
Component communication
Wazuh agent - Wazuh manager
The Wazuh agent continuously sends events to the Wazuh manager, where they are transformed and enriched by the normalization engine. To start shipping this data, the Wazuh agent establishes a secure connection with the Wazuh manager service for agent connection, which listens on TCP port 1514 by default (this is configurable).
The Wazuh messages protocol uses AES encryption by default, with 128 bits per block and 256-bit keys.
Wazuh manager - Wazuh indexer
The Wazuh manager communicates with the Wazuh indexer by forwarding alerts and event data for indexing and storage. It uses SSL certificates to encrypt communications between the Wazuh manager and indexer. The indexer connector reads the Wazuh manager output data and sends it to the Wazuh indexer (by default listening on TCP port 9200).
The Wazuh indexer receives this data and handles indexing, storage, and search operations. This enables efficient querying, correlation, and near real-time analytics, which are later consumed by the Wazuh dashboard for visualization and alerting.
Wazuh dashboard - Wazuh manager/Wazuh indexer
The Wazuh dashboard queries the Wazuh manager API (by default listening on TCP port 55000) to display configuration and status-related information of the Wazuh manager and Wazuh agents. This communication is encrypted with SSL certificates and authenticated with a username and password.
The Wazuh dashboard communicates with the Wazuh indexer to query and retrieve indexed security data for visualization and analysis. It uses secure HTTPS connections to interact with the Wazuh indexer RESTful API, sending search, aggregation, and management queries. The Wazuh indexer processes these requests and returns the relevant data, which the dashboard then reports.
Required ports
Wazuh components communicate using several services, each using specific default ports. The list of these ports is shown below, and users can modify them as required.
Component |
Port |
Protocol |
Purpose |
|---|---|---|---|
Wazuh manager |
1514 |
TCP (default) |
Agent connection service |
1514 |
UDP (optional) |
Agent connection service (disabled by default) |
|
1515 |
TCP |
Agent enrollment service |
|
1516 |
TCP |
Wazuh cluster daemon |
|
55000 |
TCP |
Wazuh manager RESTful API |
|
Wazuh indexer |
9200 |
TCP |
Wazuh indexer RESTful API |
9300-9400 |
TCP |
Wazuh indexer cluster communication |
|
Wazuh dashboard |
443 |
TCP |
Wazuh web user interface |
Wazuh CTI
The Wazuh Cyber Threat Intelligence (CTI) service is a publicly accessible platform that collects, analyzes, and disseminates actionable information on emerging cyber threats and vulnerabilities. The service provides a CTI API that includes rulesets (Wazuh decoders and rules) and vulnerability data from trusted threat intelligence sources and feeds, including operating system vendors and major vulnerability databases. It aggregates and sanitizes this data to ensure high-quality, relevant intelligence. This service is integrated directly with the Wazuh Vulnerability Detection module and is publicly available on the Wazuh CTI website.