Wazuh indexer

The Wazuh indexer is a highly scalable, full-text search and analytics engine. It serves as the central data store for the Wazuh platform, indexing and storing security alerts, events, vulnerability data, and system inventory generated by Wazuh agents. The Wazuh indexer includes a set of purpose-built plugins that provide access control, reporting, and content management capabilities, including rules, decoders, integrations, key-value databases (KVDBs), and Indicators of Compromise (IoCs). It also provides near real-time search and analytics, enabling security teams to investigate threats, monitor compliance, and gain visibility into their infrastructure.

The Wazuh indexer includes a Security Analytics plugin that provides advanced threat detection and analysis capabilities. This plugin uses detectors that apply Sigma-based detection rules to identify potential security threats, anomalies, and suspicious activities in the monitored environment.

The Wazuh indexer can be deployed as a single-node instance for development and small environments, or as a multi-node cluster for production workloads requiring high availability and horizontal scalability.

We show an image of the Wazuh indexer cluster below:

The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names, or properties with their corresponding values, which can be strings, numbers, Boolean values, dates, arrays of values, geolocations, or other types of data.

An index is a collection of related documents. The documents stored in the Wazuh indexer are distributed across different containers known as shards. By distributing the documents across multiple shards and distributing those shards across various nodes, the Wazuh indexer can ensure redundancy. This protects your system against hardware failures and increases query capacity as nodes are added to a cluster. Wazuh uses several types of indices to store different event types.

The Wazuh indexer is well-suited for time-sensitive use cases like security analytics and infrastructure monitoring, as it is a near real-time search platform. The latency from the time a document is indexed until it becomes searchable is very short, typically one second.

In addition to its speed, scalability, and resiliency, the Wazuh indexer has several built-in features that make storing and searching data even more efficient, such as data roll-ups, alerting, anomaly detection, and index lifecycle management.

Visit the installation guide to learn how to install the Wazuh indexer.