Clone this repository to deploy the necessary services and pods.

$ git clone -b v4.8.0 --depth=1
$ cd wazuh-kubernetes

Setup SSL certificates

You can generate self-signed certificates for the Wazuh indexer cluster using the script at wazuh/certs/indexer_cluster/ or provide your own.

You can generate self-signed certificates for the Wazuh dashboard cluster using the script at wazuh/certs/dashboard_http/ or provide your own.

The required certificates are imported via secretGenerator on the kustomization.yml file:

    - name: indexer-certs
        - certs/indexer_cluster/root-ca.pem
        - certs/indexer_cluster/node.pem
        - certs/indexer_cluster/node-key.pem
        - certs/indexer_cluster/dashboard.pem
        - certs/indexer_cluster/dashboard-key.pem
        - certs/indexer_cluster/admin.pem
        - certs/indexer_cluster/admin-key.pem
        - certs/indexer_cluster/filebeat.pem
        - certs/indexer_cluster/filebeat-key.pem
    - name: dashboard-certs
        - certs/dashboard_http/cert.pem
        - certs/dashboard_http/key.pem
        - certs/indexer_cluster/root-ca.pem

Setup storage class (optional for non-EKS cluster)

Depending on the type of cluster you’re running, the Storage Class may have a different provisioner.

You can check yours by running kubectl get sc. You will see something like this:

$ kubectl get sc
elk-gp2                Delete          Immediate           false                  67d
microk8s-hostpath (default)   Delete          Immediate           false                  54d

The provisioner column displays, you must edit the file envs/local-env/storage-class.yaml and set up this provisioner.

Apply all manifests using kustomize

There are two variants of the manifest: eks and local-env. The eks manifest should be used if you are using the EKS cluster, while the local-env manifest should be used for other cluster types.

It is possible to adjust resources for the cluster by editing patches on envs/eks/ or envs/local-env/, depending on which manifest you want to deploy. You can tune CPU, memory as well as storage for persistent volumes of each of the cluster objects. This could be undone by removing these patches from the kustomization.yaml or altering the patches themselves with different values.

We can deploy the cluster with a single command by using the customization file:

  • EKS cluster

    $ kubectl apply -k envs/eks/
  • Other cluster types

    $ kubectl apply -k envs/local-env/

Verifying the deployment


$ kubectl get namespaces | grep wazuh
wazuh         Active    12m


$ kubectl get services -n wazuh
NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP        PORT(S)                          AGE
indexer               ClusterIP      xxx.yy.zzz.24    <none>             9200/TCP                         12m
dashboard             ClusterIP      xxx.yy.zzz.76    <none>             5601/TCP                         11m
wazuh                 LoadBalancer   xxx.yy.zzz.209   internal-a7a8...   1515:32623/TCP,55000:30283/TCP   9m
wazuh-cluster         ClusterIP      None             <none>             1516/TCP                         9m
Wazuh-indexer         ClusterIP      None             <none>             9300/TCP                         12m
wazuh-workers         LoadBalancer   xxx.yy.zzz.26    internal-a7f9...   1514:31593/TCP                   9m


$ kubectl get deployments -n wazuh
wazuh-dashboard  1         1         1            1           11m


$ kubectl get statefulsets -n wazuh
NAME                   READY   AGE
wazuh-indexer          3/3     15m
wazuh-manager-master   1/1     15m
wazuh-manager-worker   2/2     15m


$ kubectl get pods -n wazuh
NAME                              READY     STATUS    RESTARTS   AGE
wazuh-indexer-0                   1/1       Running   0          15m
wazuh-dashboard-f4d9c7944-httsd   1/1       Running   0          14m
wazuh-manager-master-0            1/1       Running   0          12m
wazuh-manager-worker-0-0          1/1       Running   0          11m
wazuh-manager-worker-1-0          1/1       Running   0          11m

Accessing Wazuh dashboard

In case you created domain names for the services, you should be able to access the dashboard using the proposed domain name: Cloud providers usually provide an external IP address or hostname for direct access to the dashboard. This can be viewed by checking the services:

$ kubectl get services -o wide -n wazuh
 NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP                      PORT(S)                          AGE       SELECTOR
 dashboard             LoadBalancer                   80:31831/TCP,443:30974/TCP       15m       app=wazuh-dashboard

Optional: On a local cluster deployment where the external IP address is not accessible, you can use port-forward:

$ kubectl -n wazuh port-forward --address <INTERFACE_IP_ADDRESS> service/dashboard 8443:443

Where <INTERFACE_IP_ADDRESS> is the IP address of the Kubernetes host.

The Wazuh dashboard is accessible on https://<INTERFACE_IP_ADDRESS>:8443.

The default credentials are admin:SecretPassword.

Change the password of Wazuh users

To improve security, you can change the default password of the Wazuh users. There are two types of Wazuh users:

  • Wazuh indexer users

  • Wazuh API users

Wazuh indexer users

To change the password of the default admin and kibanaserver users, do the following.


If you have custom users, add them to the internal_users.yml file. Otherwise, executing this procedure deletes them.

Closing your Wazuh dashboard session

Before starting the password change process, we recommend to log out of your Wazuh dashboard session.

If you don't log out, persistent session cookies might cause errors when accessing Wazuh after changing user passwords.

Setting a new hash

  1. Start a Bash shell in wazuh-indexer-0.

    # kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash
  2. Run these commands to generate the hash of your new password. When prompted, input the new password and press Enter.

    wazuh-indexer@wazuh-indexer-0:~$ export JAVA_HOME=/usr/share/wazuh-indexer/jdk
    wazuh-indexer@wazuh-indexer-0:~$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/
  3. Copy the generated hash and exit the Bash shell.

  4. Open the wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml file. Locate the block for the user you are changing password for.

  5. Replace the hash.

    • admin user

          hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
          reserved: true
          - "admin"
          description: "Demo admin user"
    • kibanaserver user

          hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
          reserved: true
          description: "Demo kibanaserver user"

Setting the new password


Don't use the $ or & characters in your new password. These characters can cause errors during deployment.

  1. Encode your new password in base64 format. Avoid inserting a trailing newline character to maintain the hash value. For example, use the -n option with the echo command as follows.

    # echo -n "NewPassword" | base64
  2. Edit the indexer or dashbboard secrets configuration file as follows. Replace the value of the password field with your new encoded password.

    • To change the admin user password, edit the wazuh/secrets/indexer-cred-secret.yaml file.

      apiVersion: v1
      kind: Secret
          name: indexer-cred
          username: YWRtaW4=              # string "admin" base64 encoded
          password: U2VjcmV0UGFzc3dvcmQ=  # string "SecretPassword" base64 encoded
    • To change the kibanaserver user password, edit the wazuh/secrets/dashboard-cred-secret.yaml file.

      apiVersion: v1
      kind: Secret
          name: dashboard-cred
          username: a2liYW5hc2VydmVy  # string "kibanaserver" base64 encoded
          password: a2liYW5hc2VydmVy  # string "kibanaserver" base64 encoded

Applying the changes

  1. Apply the manifest changes

    • EKS cluster

      # kubectl apply -k envs/eks/
    • Other cluster types

      # kubectl apply -k envs/local-env/
  2. Start a bash shell in wazuh-indexer-0 once more.

    # kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash
  3. Set the following variables:

    export INSTALLATION_DIR=/usr/share/wazuh-indexer
    export JAVA_HOME=/usr/share/wazuh-indexer/jdk
  4. Wait for the Wazuh indexer to initialize properly. The waiting time can vary from two to five minutes. It depends on the size of the cluster, the assigned resources, and the speed of the network. Then, run the script to apply all changes.

    $ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/ -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl -h $NODE_NAME
  5. Delete all Wazuh manager pods to update the component credentials.

    $ kubectl delete -n wazuh pod/wazuh-manager-master-0 pod/wazuh-manager-worker-0 pod/wazuh-manager-worker-1
  6. Login with the new credentials on the Wazuh dashboard.

Wazuh API users

The wazuh-wui user is the user to connect with the Wazuh API by default. Follow these steps to change the password.


The password for Wazuh API users must be between 8 and 64 characters long. It must contain at least one uppercase and one lowercase letter, a number, and a symbol.

  1. Encode your new password in base64 format. Avoid inserting a trailing newline character to maintain the hash value. For example, use the -n option with the echo command as follows.

    # echo -n "NewPassword" | base64
  2. Edit the wazuh/secrets/wazuh-api-cred-secret.yaml file and replace the value of the password field.

    apiVersion: v1
    kind: Secret
        name: wazuh-api-cred
        namespace: wazuh
        username: d2F6dWgtd3Vp          # string "wazuh-wui" base64 encoded
        password: UGFzc3dvcmQxMjM0LmE=  # string "MyS3cr37P450r.*-" base64 encoded
  3. Apply the manifest changes.

    # kubectl apply -k envs/eks/
  4. Restart pods for Wazuh dashboard and Wazuh manager master.


Wazuh agents are designed to monitor hosts. To start using them:

  1. Install the agent.

  2. Enroll the agent by modifying the file /var/ossec/etc/ossec.conf. Change the “transport protocol” to TCP and replace the MANAGER_IP with the external IP address of the service pointing to port 1514 or with the hostname provided by the cloud provider

To learn more about registering agents, see the Wazuh agent enrollment section of the documentation.