Wazuh indexer

The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability.

The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names, or properties with their corresponding values, which can be strings, numbers, Boolean values, dates, arrays of values, geolocations, or other types of data.

An index is a collection of related documents. The documents stored in the Wazuh indexer are distributed across different containers known as shards. By distributing the documents across multiple shards and distributing those shards across various nodes, the Wazuh indexer can ensure redundancy. This protects your system against hardware failures and increases query capacity as nodes are added to a cluster.

We show an image of the Wazuh indexer cluster below:

Wazuh uses several types of indices to store different event types. For details, see the Wazuh indexer indices section of the documentation.

The Wazuh indexer is well-suited for time-sensitive use cases like security analytics and infrastructure monitoring, as it is a near real-time search platform. The latency from the time a document is indexed until it becomes searchable is very short, typically one second.

In addition to its speed, scalability, and resiliency, the Wazuh indexer has several built-in features that make storing and searching data even more efficient, such as data roll-ups, alerting, anomaly detection, and index lifecycle management.

Visit the installation guide and user manual for more information about the Wazuh indexer.