Wazuh app for Splunk offers a UI to visualize Wazuh alerts and Wazuh API data. Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
Download the latest Wazuh app for Splunk:
# curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/4.x/ui/splunk/wazuh_splunk-4.2.5_8.2.2-1.tar.gz
Install the Wazuh app for Splunk:
Open Splunk in your desired browser and click on the Wazuh app icon:
The app will redirect you to the Settings tab, where fill the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.
By default, the Wazuh API port is
55000. The default username and password is
Once added the API, it is possible to check the connection by pressing the Check connection button on each Wazuh API entry. A successful message appears on the bottom right corner if the connection is established.
You can get more information about how to set up the credentials at Securing the Wazuh API.
When the Wazuh app for Splunk is installed, the next step is installing and configuring Splunk forwarder.
In order to configure the index and source type of the app, go to Settings/Index (view image).
The default values are for index
wazuhand for source type
The Wazuh app considers as a valid index all indices that contain the word
wazuhin the source type, the default value from the installation guide for source type is
You can also select the API, Index and Source Type using the Quick settings menu.
We can install the Wazuh app for Splunk in each search-head manually, but in case of having hundreds or even thousands of search-heads, it is more convenient to install it automatically.
For this purpose, the
deployer will be used, a machine that installs the Wazuh app for Splunk in every search-head at the same time and automatically.
Install the Wazuh app for Splunk on the
deployer machine and follow the steps:
Copy the Wazuh app for Splunk into the Splunk cluster folder:
# cp -r installation_path/SplunkAppForWazuh /opt/splunk/etc/shcluster/apps
Create the file that listens the outputs from the Wazuh API:
# touch /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh/default/outputs.conf
outputs.conffile with the next lines:
[indexer_discovery:cluster1] pass4SymmKey = changeme master_uri = https://<master_ip>:<management_port> [tcpout:cluster1_tcp] indexerDiscovery = cluster1 [tcpout] defaultGroup = cluster1_tcp
indexerDiscoveryattribute is used for setting the connection to peer nodes. More information about the
indexerDiscoveryattribute can be found here.
<master_ip>references to the indexers master IP address.
httpsis required by default and the default port is 8089.
Apply the changes:
# /opt/splunk/bin/splunk apply shcluster-bundle -target https://<NODE_IP>:<management_port> -auth <user>:<password>
Now, we should have the
/opt/splunk/etc/apps/SplunkAppForWazuh in every
To perform the update, the Wazuh app for Splunk must be deleted from the deployer and reinstalled by following the previous steps:
# rm -rf /opt/splunk/etc/shcluster/apps/SplunkAppForWazuh
Then, synchronized with the option
-forceand will be deleted from the search heads:
# /opt/splunk/bin/splunk apply shcluster-bundle -force true -target https://<NODE_IP>:<management_port> -auth <user>:<password> -f