Installing the Wazuh manager step-by-step
Install and configure the Wazuh manager as a single-node or multi-node cluster following step-by-step instructions. The Wazuh manager analyzes event data received from Wazuh agents and forwards the processed events to the Wazuh indexer.
The installation process is divided into two stages:
Note
You need root user privileges to run all the commands described below.
Wazuh manager node installation
Follow these steps to install a single-node or multi-node cluster Wazuh manager.
Adding the Wazuh repository
Note
If you are installing the Wazuh manager on the same host as the Wazuh indexer, you may skip these steps only if the Wazuh repository is already configured and enabled.
Install the following packages if missing:
# apt-get install -y gnupg apt-transport-https
Install the GPG key:
# curl -s https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the packages information:
# apt-get update
Import the GPG key.
# rpm --import https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH
Add the repository.
For RHEL-compatible systems version 8 and earlier, use the following command:
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
For RHEL-compatible systems version 9 and later, use the following command:
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo
Import the GPG key.
# rpm --import https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH
Add the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-staging.xdrsiem.wazuh.info/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-staging.xdrsiem.wazuh.info/pre-release/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo
Installing the Wazuh manager
Install the Wazuh manager package.
# apt-get -y install wazuh-manager
# yum -y install wazuh-manager
# dnf -y install wazuh-manager
Deploying certificates
Note
Make sure that a copy of the wazuh-certificates.tar file, created during the initial configuration step, is placed in your working directory.
Replace
<MANAGER_NODE_NAME>with your Wazuh manager node certificate name, the same used inconfig.ymlwhen creating the certificates. In our case, the node name is,manager. Then move the certificates to their corresponding location:# NODE_NAME=<MANAGER_NODE_NAME>
# mkdir /var/wazuh-manager/etc/certs # tar -xf ./wazuh-certificates.tar -C /var/wazuh-manager/etc/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem # mv -n /var/wazuh-manager/etc/certs/$NODE_NAME.pem /var/wazuh-manager/etc/certs/manager.pem # mv -n /var/wazuh-manager/etc/certs/$NODE_NAME-key.pem /var/wazuh-manager/etc/certs/manager-key.pem # chmod 500 /var/wazuh-manager/etc/certs # chmod 400 /var/wazuh-manager/etc/certs/* # chown -R root:root /var/wazuh-manager/etc/certs
Configuring the Wazuh indexer connection
Save the Wazuh indexer username and password into the Wazuh manager keystore using the wazuh-manager-keystore tool. Replace
<WAZUH_INDEXER_USERNAME>and<WAZUH_INDEXER_PASSWORD>with the Wazuh indexer username and password:# echo '<WAZUH_INDEXER_USERNAME>' | /var/wazuh-manager/bin/wazuh-manager-keystore -f indexer -k username # echo '<WAZUH_INDEXER_PASSWORD>' | /var/wazuh-manager/bin/wazuh-manager-keystore -f indexer -k password
Note
The default step-by-step installation credentials are
admin:admin.Edit
/var/wazuh-manager/etc/wazuh-manager.conffile to configure the indexer connection.By default, the indexer settings have one host configured. It's set to
127.0.0.1as highlighted below.<indexer> <hosts> <host>https://127.0.0.1:9200</host> </hosts> <ssl> <certificate_authorities> <ca>/var/wazuh-manager/etc/certs/root-ca.pem</ca> </certificate_authorities> <certificate>/var/wazuh-manager/etc/certs/manager.pem</certificate> <key>/var/wazuh-manager/etc/certs/manager-key.pem</key> </ssl> </indexer>
Replace
127.0.0.1with your Wazuh indexer node IP address or hostname. You can find this value in the Wazuh indexer config file/etc/wazuh-indexer/opensearch.ymlEnsure the Wazuh manager certificate and key name match the certificate files in
/var/wazuh-manager/etc/certs.
If you are running a Wazuh indexer cluster infrastructure, add a
<host>entry for each one of your Wazuh indexer nodes. For example, in a two-node configuration:<hosts> <host>https://10.0.0.1:9200</host> <host>https://10.0.0.2:9200</host> </hosts>
The Wazuh manager prioritizes reporting to the first Wazuh indexer node in the list. It switches to the next node in case it is not available.
Starting the Wazuh manager
Enable and start the Wazuh manager service.
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to verify the Wazuh manager status:
# systemctl status wazuh-manager
# service wazuh-manager status
Your Wazuh manager node is now successfully installed. Repeat this stage of the installation process for every Wazuh manager node in your Wazuh cluster, then proceed with configuring the Wazuh cluster. If you want a Wazuh manager single-node cluster, everything is set and you can proceed directly with Installing the Wazuh dashboard step by step.
Disable Wazuh updates
We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.
Execute the following command only after completing all installations:
# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
Cluster configuration for multi-node deployment
After completing the installation of the Wazuh manager on every node, you need to configure one server node only as the master and the rest as workers.
Configuring the Wazuh manager master node
Edit the following settings in the
/var/wazuh-manager/etc/wazuh-manager.conffile and configure the necessary parameters:<cluster> <name>wazuh</name> <node_name>master-node</node_name> <node_type>master</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node><WAZUH_MASTER_NODE_ADDRESS></node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
Parameters to be configured:
It indicates the name of the cluster.
It indicates the name of the current node.
It specifies the role of the node. It has to be set to
master.Key that is used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. The following command can be used to generate a random key:
openssl rand -hex 16.It indicates the destination port for cluster communication.
It is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).
It is the address of the master node and can be either an IP or a DNS. This parameter must be specified in all nodes, including the master itself.
It shows or hides the cluster information in the generated alerts.
It indicates whether the node is enabled or disabled in the cluster. This option must be set to
no.Restart the Wazuh manager.
# systemctl restart wazuh-manager
# service wazuh-manager restart
Configuring the Wazuh manager worker nodes
Configure the cluster node by editing the following settings in the
/var/wazuh-manager/etc/wazuh-manager.conffile and configure the necessary parameters:<cluster> <name>wazuh</name> <node_name>worker-node</node_name> <node_type>worker</node_type> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node><WAZUH_MASTER_ADDRESS></node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
Parameters to be configured:
It indicates the name of the cluster.
It indicates the name of the current node. Each node of the cluster must have a unique name.
It specifies the role of the node. It has to be set as
worker.The key created previously for the
masternode. It has to be the same for all the nodes.It has to specify the address of the
master nodeand can be either an IP or a DNS.It indicates whether the node is enabled or disabled in the cluster. It has to be set to
no.Restart the Wazuh manager.
# systemctl restart wazuh-manager
# service wazuh-manager restart
Repeat these configuration steps for every Wazuh manager worker node in your cluster.
Testing Wazuh manager cluster
Run the following command to verify that the Wazuh cluster is enabled and all the nodes are connected:
# /var/wazuh-manager/bin/cluster_control -l
An example output of the command looks as follows:
NAME TYPE VERSION ADDRESS
master-node master 5.0.0 10.0.0.3
worker-node1 worker 5.0.0 10.0.0.4
worker-node2 worker 5.0.0 10.0.0.5
Note that the IP addresses 10.0.0.3, 10.0.0.4, and 10.0.0.5 are used as examples.
Next steps
The Wazuh manager installation is now complete, and you can proceed with Installing the Wazuh dashboard step by step.
If you want to uninstall the Wazuh manager, see Uninstalling the Wazuh manager.