Clone this repository to deploy the necessary services and pods.

$ git clone -b v4.4.3 --depth=1
$ cd wazuh-kubernetes

Setup SSL certificates

You can generate self-signed certificates for the Wazuh indexer cluster using the script at wazuh/certs/indexer_cluster/ or provide your own.

You can generate self-signed certificates for the Wazuh dashboard cluster using the script at wazuh/certs/dashboard_http/ or provide your own.

The required certificates are imported via secretGenerator on the kustomization.yml file:

    - name: indexer-certs
        - certs/indexer_cluster/root-ca.pem
        - certs/indexer_cluster/node.pem
        - certs/indexer_cluster/node-key.pem
        - certs/indexer_cluster/dashboard.pem
        - certs/indexer_cluster/dashboard-key.pem
        - certs/indexer_cluster/admin.pem
        - certs/indexer_cluster/admin-key.pem
        - certs/indexer_cluster/filebeat.pem
        - certs/indexer_cluster/filebeat-key.pem
    - name: dashboard-certs
        - certs/dashboard_http/cert.pem
        - certs/dashboard_http/key.pem
        - certs/indexer_cluster/root-ca.pem

Setup storage class (optional for non-EKS cluster)

Depending on the type of cluster you’re running, the Storage Class may have a different provisioner.

You can check yours by running kubectl get sc. You will see something like this:

$ kubectl get sc
elk-gp2                Delete          Immediate           false                  67d
microk8s-hostpath (default)   Delete          Immediate           false                  54d

The provisioner column displays, you must edit the file envs/local-env/storage-class.yaml and set up this provisioner.

Apply all manifests using kustomize

There are two variants of the manifest: eks and local-env. The eks manifest should be used if you are using the EKS cluster, while the local-env manifest should be used for other cluster types.

It is possible to adjust resources for the cluster by editing patches on envs/eks/ or envs/local-env/, depending on which manifest you want to deploy. You can tune CPU, memory as well as storage for persistent volumes of each of the cluster objects. This could be undone by removing these patches from the kustomization.yaml or altering the patches themselves with different values.

We can deploy the cluster with a single command by using the customization file:

  • EKS cluster

    $ kubectl apply -k envs/eks/
  • Other cluster types

    $ kubectl apply -k envs/local-env/

Verifying the deployment


$ kubectl get namespaces | grep wazuh
wazuh         Active    12m


$ kubectl get services -n wazuh
NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP        PORT(S)                          AGE
indexer               ClusterIP      xxx.yy.zzz.24    <none>             9200/TCP                         12m
dashboard             ClusterIP      xxx.yy.zzz.76    <none>             5601/TCP                         11m
wazuh                 LoadBalancer   xxx.yy.zzz.209   internal-a7a8...   1515:32623/TCP,55000:30283/TCP   9m
wazuh-cluster         ClusterIP      None             <none>             1516/TCP                         9m
Wazuh-indexer         ClusterIP      None             <none>             9300/TCP                         12m
wazuh-workers         LoadBalancer   xxx.yy.zzz.26    internal-a7f9...   1514:31593/TCP                   9m


$ kubectl get deployments -n wazuh
wazuh-dashboard  1         1         1            1           11m


$ kubectl get statefulsets -n wazuh
NAME                   READY   AGE
wazuh-indexer          3/3     15m
wazuh-manager-master   1/1     15m
wazuh-manager-worker   2/2     15m


$ kubectl get pods -n wazuh
NAME                              READY     STATUS    RESTARTS   AGE
wazuh-indexer-0                   1/1       Running   0          15m
wazuh-dashboard-f4d9c7944-httsd   1/1       Running   0          14m
wazuh-manager-master-0            1/1       Running   0          12m
wazuh-manager-worker-0-0          1/1       Running   0          11m
wazuh-manager-worker-1-0          1/1       Running   0          11m

Accessing Wazuh dashboard

In case you created domain names for the services, you should be able to access the dashboard using the proposed domain name: Cloud providers usually provide an external IP address or hostname for direct access to the dashboard. This can be viewed by checking the services:

$ kubectl get services -o wide -n wazuh
 NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP                      PORT(S)                          AGE       SELECTOR
 dashboard             LoadBalancer                   80:31831/TCP,443:30974/TCP       15m       app=wazuh-dashboard

Optional: On a local cluster deployment where the external IP address is not accessible, you can use port-forward:

$ kubectl -n wazuh port-forward service/dashboard 8443:443

The Wazuh dashboard will be accessible on https://localhost:8443.

The default credentials are admin:SecretPassword.


Wazuh agents are designed to monitor hosts. To start using them:

  1. Install the agent.

  2. Enroll the agent by modifying the file /var/ossec/etc/ossec.conf. Change the “transport protocol” to TCP and replace the MANAGER_IP with the external IP address of the service pointing to port 1514 or with the hostname provided by the cloud provider

To learn more about registering agents, see the Wazuh agent enrollment section of the documentation.