Installing the Wazuh indexer step-by-step

Install and configure the Wazuh indexer as a single-node or multi-node cluster following step-by-step instructions. The Wazuh indexer is a scalable search and analytics engine that stores and indexes events forwarded by the Wazuh manager, enabling near real-time data analysis and several other features.

The installation process is divided into three stages:

Certificate creation
Wazuh indexer nodes installation
Cluster initialization

Note

You need root user privileges to run all the commands described below.

Certificate creation

Wazuh uses certificates to establish confidentiality and encrypt communications between its central components. Follow these steps to create certificates for the Wazuh central components.

Generating the SSL certificates

Download the wazuh-certs-tool-5.0.0-beta2.sh script and the config.yml configuration file. This creates the certificates that encrypt communications between the Wazuh central components:

# curl -sO https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/installation-assistant/wazuh-certs-tool-5.0.0-beta2.sh
# curl -o config.yml https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/installation-assistant/config-5.0.0-beta2.yml

Edit ./config.yml and replace the node names and IP values with the corresponding names and IP addresses. You need to do this for all Wazuh manager, Wazuh indexer, and Wazuh dashboard nodes. Add as many node fields as needed:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: indexer
      ip: "<indexer-node-ip>"
    #  dns: "<indexer-node-dns>"
    #- name: indexer-2
    #  ip: "<indexer-node-ip>"
    #  dns: "<indexer-node-dns>"
    #- name: indexer-3
    #  ip: "<indexer-node-ip>"
    #  dns:
    #    - "<indexer-node-dns>"

  # Wazuh manager nodes
  # If there is more than one Wazuh manager
  # node, each one must have a node_type
  manager:
    - name: manager
      ip: "<wazuh-manager-ip>"
    #  dns: "<wazuh-manager-dns>"
    #  node_type: master
    #- name: manager-2
    #  dns: "<wazuh-manager-dns>"
    #  node_type: worker
    #- name: manager-3
    #  ip: "<wazuh-manager-ip>"
    #  dns:
    #    - "<wazuh-manager-dns>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"
    #  dns: "<dashboard-node-dns>"

To learn more about how to create and configure the certificates, see the Certificates deployment section.

Run ./wazuh-certs-tool-5.0.0-beta2.sh to create the certificates. For a multi-node cluster, these certificates need to be later deployed to all Wazuh instances in your cluster:
```
# bash ./wazuh-certs-tool-5.0.0-beta2.sh -A
```

Compress all the necessary files:

# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# rm -rf ./wazuh-certificates

Copy the wazuh-certificates.tar file to all the nodes, including the Wazuh indexer, Wazuh manager, and Wazuh dashboard nodes. This can be done by using the scp utility.

Wazuh indexer nodes installation

Follow these steps to install and configure a single-node or multi-node Wazuh indexer.

Installing package dependencies

Run the following command to install the following packages if missing:

# apt install debconf adduser procps

# yum install coreutils

# dnf install coreutils

Adding the Wazuh repository

Install the following packages if missing:

# apt-get install -y gnupg apt-transport-https

Install the GPG key:

# curl -s https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information:
# apt-get update

Import the GPG key.

# rpm --import https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH

Add the repository.

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Import the GPG key.

# rpm --import https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Installing the Wazuh indexer

Install the Wazuh indexer package.

# apt-get -y install wazuh-indexer

# yum -y install wazuh-indexer

# dnf -y install wazuh-indexer

Configuring the Wazuh indexer

Edit /etc/wazuh-indexer/opensearch.yml and replace the following values:
1. network.host: Sets the address of this node for both HTTP and transport traffic. The node will bind to this address and will also use it as its publish address. Accepts an IP address or a hostname.
  
  Use the same node address set in config.yml to create the SSL certificates.
2. node.name: Name of the Wazuh indexer node as defined in the config.yml file. For example, indexer.
3. cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are defined in the config.yml file. Uncomment the node-2 and node-3 lines, change the names, or add more lines, according to your config.yml definitions.
```
cluster.initial_master_nodes:
- "indexer"
- "node-2"
- "node-3"
```
4. discovery.seed_hosts: List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. You may leave this setting commented if you are configuring the Wazuh indexer as a single-node. For multi-node configurations, uncomment this setting and set the addresses of each master-eligible node.
  discovery.seed_hosts: - "10.0.0.1" - "10.0.0.2" - "10.0.0.3"
5. plugins.security.nodes_dn: List of the Distinguished Names of the certificates of every Wazuh indexer cluster node. Uncomment the lines for node-2 and node-3 and change the common names (CN) and values according to your settings and your config.yml definitions.
```
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
```

Deploying certificates

Note

Make sure that a copy of wazuh-certificates.tar, created in the previous stage of the installation process, is placed in your working directory.

Run the following commands, replacing <INDEXER_NODE_NAME> with the name of the Wazuh indexer node you are configuring as defined in config.yml. In our case, the node name is indexer. This is to deploy the SSL certificates to encrypt communication between the Wazuh central components:

# NODE_NAME=<INDEXER_NODE_NAME>

# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Recommended action: If no other Wazuh components will be installed on this node, run the following command to remove the wazuh-certificates.tar file.
```
# rm -f ./wazuh-certificates.tar
```

Starting the service

Enable and start the Wazuh indexer service.
# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer
Choose one option according to the operating system used.

RPM-based operating system:
# chkconfig --add wazuh-indexer
# service wazuh-indexer start
Debian-based operating system:
# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

Repeat this stage of the installation process for every Wazuh indexer node in your multi-node cluster. Then proceed with initializing your single-node or multi-node cluster in the next stage.

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Cluster initialization

The final stage of installing the Wazuh indexer single-node or multi-node cluster consists of running the security admin script.

Note

You only have to initialize the cluster once, there is no need to run this command on every node.

Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and start the single-node or multi-node cluster:
```
# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
```

Testing the cluster installation

Run the following commands to confirm that the installation is successful. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and enter admin as the password when prompted:

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200

{
  "name" : "indexer",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "rM3vIXsSS0qgW0fkwHGolg",
  "version" : {
    "distribution" : "opensearch",
    "number" : "3.5.0",
    "build_type" : "rpm",
    "build_hash" : "0688bb0c0d4d2384772311ab88edcd2a18a67774",
    "build_date" : "2026-04-09T12:10:10.126706914Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.2",
    "minimum_wire_compatibility_version" : "2.19.0",
    "minimum_index_compatibility_version" : "2.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Run the following command to check if the cluster is working correctly. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and enter admin as the password when prompted:

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

The command produces output similar to the following:

ip             heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
192.168.33.147           33          69  17    0.09    0.61     0.50 dimr      cluster_manager,data,ingest,remote_cluster_client *               indexer

Next steps

The Wazuh indexer is now successfully installed on your single-node or multi-node cluster, and you can proceed with installing the Wazuh manager. To perform this action, see the Installing the Wazuh manager step-by-step section.

To uninstall the Wazuh indexer, see Uninstalling the Wazuh indexer.