Installing the Wazuh indexer using the assisted installation method

Install and configure the Wazuh indexer as a single-node or multi-node cluster on a 64-bit (x86_64/AMD64 or AARCH64/ARM64) architecture using the assisted installation method. The Wazuh indexer is a scalable search and analytics engine that stores and indexes events forwarded by the Wazuh manager, enabling near real-time data analysis and several other features.

Wazuh indexer cluster installation

The Wazuh indexer installation process is divided into three stages:

Initial configuration
Wazuh indexer node installation
Cluster initialization

Note

You need root user privileges to run all the commands described below.

Initial configuration

Follow these steps on a Linux host to configure your Wazuh deployment, create SSL certificates to encrypt communications between the Wazuh components, and generate random passwords to secure your installation.

Download the Wazuh installation assistant and the configuration file:

# curl -sO https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/installation-assistant/wazuh-install-5.0.0-beta2.sh
# curl -o config.yml https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/installation-assistant/config-5.0.0-beta2.yml

Edit ./config.yml and replace the node names and IP values with the corresponding names and IP addresses. You need to do this for all Wazuh manager, Wazuh indexer, and Wazuh dashboard nodes. Add as many node fields as needed:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: indexer
      ip: "<indexer-node-ip>"
    #  dns: "<indexer-node-dns>"
    #- name: indexer-2
    #  ip: "<indexer-node-ip>"
    #  dns: "<indexer-node-dns>"
    #- name: indexer-3
    #  ip: "<indexer-node-ip>"
    #  dns:
    #    - "<indexer-node-dns>"

  # Wazuh manager nodes
  # If there is more than one Wazuh manager
  # node, each one must have a node_type
  manager:
    - name: manager
      ip: "<wazuh-manager-ip>"
    #  dns: "<wazuh-manager-dns>"
    #  node_type: master
    #- name: manager-2
    #  dns: "<wazuh-manager-dns>"
    #  node_type: worker
    #- name: manager-3
    #  ip: "<wazuh-manager-ip>"
    #  dns:
    #    - "<wazuh-manager-dns>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"
    #  dns: "<dashboard-node-dns>"

Run the Wazuh installation assistant with the option --generate-config-files to generate the Wazuh cluster key, certificates, and passwords necessary for installation. You can find these files in ./wazuh-install-files.tar:
# bash wazuh-install-5.0.0-beta2.sh --generate-config-files
Copy the wazuh-install-files.tar file from the host where you generated it to all the servers of the distributed deployment including the Wazuh manager, the Wazuh indexer, and the Wazuh dashboard nodes. This can be done by using the scp utility.

Wazuh indexer node installation

Follow these steps to install and configure a single-node or multi-node Wazuh indexer.

Download the Wazuh installation assistant. Skip this step if you performed the initial configuration on the same host and the Wazuh installation assistant is already in your working directory:
# curl -sO https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/installation-assistant/wazuh-install-5.0.0-beta2.sh
Run the Wazuh installation assistant with the option --wazuh-indexer and the node name to install and configure the Wazuh indexer. The node name must be the same one used in the config.yml file for the initial configuration, for example, indexer.
Note

Make sure that a copy of wazuh-install-files.tar, created during the initial configuration step, is placed in your working directory.
# bash wazuh-install-5.0.0-beta2.sh --wazuh-indexer indexer -d pre-release

Repeat this stage of the installation process for every Wazuh indexer node in your cluster. The command installs, configures and starts the Wazuh indexer on the host. Then proceed with initializing your single-node or multi-node cluster in the next stage.

Cluster initialization

The final stage of installing the Wazuh indexer single-node or multi-node cluster consists of running the security admin script. The security admin script loads the new certificates and initializes the single-node or multi-node cluster.

Note

You only have to initialize the cluster once, there is no need to run this command on every node.

Run the Wazuh installation assistant with option --start-cluster on any Wazuh indexer node to run the security admin script:
```
# bash wazuh-install-5.0.0-beta2.sh --start-cluster
```

Testing the cluster installation

Verify that the Wazuh indexer installed correctly and the Wazuh indexer cluster is functioning as expected by following the steps below.

Run the following command to confirm that the installation is successful. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and enter the admin password when prompted. The default password is admin.

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200

{
  "name" : "indexer",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "D8L8SfzhQeu3pzxWOKaV3w",
  "version" : {
    "distribution" : "opensearch",
    "number" : "3.5.0",
    "build_type" : "deb",
    "build_hash" : "0688bb0c0d4d2384772311ab88edcd2a18a67774",
    "build_date" : "2026-04-09T12:03:20.584145075Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.2",
    "minimum_wire_compatibility_version" : "2.19.0",
    "minimum_index_compatibility_version" : "2.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Run the following command to check if the cluster is working correctly. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and enter the password for the Wazuh indexer admin user when it prompts for password:

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

The command output should be similar to the following:

ip             heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
192.168.33.147           47          97  57    3.11    1.27     0.52 dimr      cluster_manager,data,ingest,remote_cluster_client *               indexer

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Next steps

The Wazuh indexer is now successfully installed and you can proceed with installing the Wazuh manager. To perform this action, see the Installing the Wazuh manager using the assisted installation method section.