Wazuh indexer

The Wazuh indexer is a scalable search and analytics engine that stores and indexes events forwarded by the Wazuh manager, enabling near real-time data analysis. It manages threat intelligence updates, including decoders, detection rules, vulnerability feeds, and Indicators of Compromise (IoCs) from the Wazuh Cyber Threat Intelligence (CTI) platform.

You can install the Wazuh indexer on a single host or distribute it across multiple nodes in a cluster configuration. The cluster configuration provides scalability, high availability, and improved performance.

Check the requirements below and choose an installation method to start installing the Wazuh indexer.

1
2
3

Install the Wazuh indexer

../../_images/Indexer-Circle.png

Install the Wazuh manager

../../_images/Server-noBG.png

Install the Wazuh dashboard

../../_images/Dashboard-noBG.png

Requirements

Check the recommended operating systems and hardware requirements for the Wazuh indexer installation. Make sure that your system environment meets all requirements and that you have root user privileges.

Hardware recommendations

You can install the Wazuh indexer as a single-node or multi-node cluster.

  • Hardware recommendations for each node

    Minimum

    Recommended

    Component

    RAM (GB)

    CPU (cores)

    RAM (GB)

    CPU (cores)

    Wazuh indexer

    8

    4

    32

    8

  • Disk space requirements: The amount of disk space required depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a Wazuh indexer server, depending on the type of monitored endpoints.

    Monitored endpoints

    APS
    Storage in Wazuh indexer
    (GB/90 days)

    Servers

    0.25

    3.7

    Workstations

    0.1

    1.5

    Network devices

    0.5

    7.4

    For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the Wazuh indexer server for 90 days of alerts is 230 GB.