Installing the Wazuh dashboard step by step
Install and configure the Wazuh dashboard following step-by-step instructions. The Wazuh dashboard is a web interface for mining and visualizing the Wazuh server alerts and archived events.
Note
You need root user privileges to run all the commands described below.
Wazuh dashboard installation
Installing package dependencies
Install the following packages if missing.
# apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later
# yum install libcap
# dnf install libcap
Adding the Wazuh repository
Note
If you are installing the Wazuh dashboard on the same host as the Wazuh indexer or the Wazuh server, you may skip these steps as you may have added the Wazuh repository already.
Install the following packages if missing.
# apt-get install gnupg apt-transport-https
Install the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository.
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the packages information.
# apt-get update
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository.
For RHEL-compatible systems version 8 and earlier, use the following command:
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
For RHEL-compatible systems version 9 and later, use the following command:
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo
Installing the Wazuh dashboard
Install the Wazuh dashboard package.
# apt-get -y install wazuh-dashboard
# yum -y install wazuh-dashboard
# dnf -y install wazuh-dashboard
Configuring the Wazuh dashboard
Edit the
/etc/wazuh-dashboard/opensearch_dashboards.ymlfile and replace the following values:
server.host: This setting specifies the host of the Wazuh dashboard server. To allow remote users to connect, set the value to the IP address or DNS name of the Wazuh dashboard server. The value0.0.0.0will accept all the available IP addresses of the host.
opensearch.hosts: The URLs of the Wazuh indexer instances to use for all your queries. The Wazuh dashboard can be configured to connect to multiple Wazuh indexer nodes in the same cluster. The addresses of the nodes can be separated by commas. For example,["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate
Note
Firewalls can block communication between Wazuh components on different hosts. Refer to the Required ports section and ensure the necessary ports are open.
Deploying certificates
Note
Make sure that a copy of the
wazuh-certificates.tarfile, created during the initial configuration step, is placed in your working directory.
Replace
<DASHBOARD_NODE_NAME>with your Wazuh dashboard node name, the same one used inconfig.ymlto create the certificates, and move the certificates to their corresponding location.# NODE_NAME=<DASHBOARD_NODE_NAME># mkdir /etc/wazuh-dashboard/certs # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem # chmod 500 /etc/wazuh-dashboard/certs # chmod 400 /etc/wazuh-dashboard/certs/* # chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Starting the Wazuh dashboard service
Enable and start the Wazuh dashboard service.
# systemctl daemon-reload # systemctl enable wazuh-dashboard # systemctl start wazuh-dashboard
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-dashboard # service wazuh-dashboard start
Debian-based operating system:
# update-rc.d wazuh-dashboard defaults 95 10 # service wazuh-dashboard start
Edit the
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.ymlfile and replace theurlvalue with the IP address or hostname of the Wazuh server master node.hosts: - default: url: https://<WAZUH_SERVER_IP_ADDRESS> port: 55000 username: wazuh-wui password: wazuh-wui run_as: false
Access the Wazuh web interface with your
adminuser credentials. This is the default administrator account for the Wazuh indexer and it allows you to access the Wazuh dashboard.URL:
https://<WAZUH_DASHBOARD_IP_ADDRESS>Username:
adminPassword:
admin
When you access the Wazuh dashboard for the first time, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser. For increased security, the
root-ca.pemfile previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.
Note
Recommended Action: Disable Wazuh Updates.
We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.
Execute the following command only after completing all installations:
# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
Securing your Wazuh installation
You have now installed and configured all the Wazuh central components. We recommend changing the default credentials to protect your infrastructure from possible attacks.
Select your deployment type and follow the instructions to change the default passwords for both the Wazuh API and the Wazuh indexer users.
Use the Wazuh passwords tool to change all the internal users' passwords.
# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh
INFO: The password for user admin is yWOzmNA.?Aoc+rQfDBcF71KZp?1xd7IO INFO: The password for user kibanaserver is nUa+66zY.eDF*2rRl5GKdgLxvgYQA+wo INFO: The password for user kibanaro is 0jHq.4i*VAgclnqFiXvZ5gtQq1D5LCcL INFO: The password for user logstash is hWW6U45rPoCT?oR.r.Baw2qaWz2iH8Ml INFO: The password for user readall is PNt5K+FpKDMO2TlxJ6Opb2D0mYl*I7FQ INFO: The password for user snapshotrestore is +GGz2noZZr2qVUK7xbtqjUup049tvLq. WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. INFO: The password for Wazuh API user wazuh is JYWz5Zdb3Yq+uOzOPyUU4oat0n60VmWI INFO: The password for Wazuh API user wazuh-wui is +fLddaCiZePxh24*?jC0nyNmgMGCKE+2 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.
On any Wazuh indexer node, use the Wazuh passwords tool to change the passwords of the Wazuh indexer users.
# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all
INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j INFO: The password for user kibanaserver is qy6fBrNOI4fD9yR9.Oj03?pihN6Ejfpp INFO: The password for user kibanaro is Nj*sSXSxwntrx3O7m8ehrgdHkxCc0dna INFO: The password for user logstash is nQg1Qw0nIQFZXUJc8r8+zHVrkelch33h INFO: The password for user readall is s0iWAei?RXObSDdibBfzSgXdhZCD9kH4 INFO: The password for user snapshotrestore is Mb2EHw8SIc1d.oz.nM?dHiPBGk7s?UZB WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
On your Wazuh server master node, download the Wazuh passwords tool and use it to change the passwords of the Wazuh API users.
# curl -sO https://packages.wazuh.com/4.12/wazuh-passwords-tool.sh # bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh
INFO: The password for Wazuh API user wazuh is ivLOfmj7.jL6*7Ev?UJoFjrkGy9t6Je. INFO: The password for Wazuh API user wazuh-wui is fL+f?sFRPEv5pYRE559rqy9b6G4Z5pVi
On all your Wazuh server nodes, run the following command to update the admin password in the Filebeat keystore. Replace
<ADMIN_PASSWORD>with the random password generated in the first step.# echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force
Restart Filebeat to apply the change.
# systemctl restart filebeat
# service filebeat restart
Note
Repeat steps 3 and 4 on every Wazuh server node.
On your Wazuh dashboard node, run the following command to update the kibanaserver password in the Wazuh dashboard keystore. Replace
<KIBANASERVER_PASSWORD>with the random password generated in the first step.# echo <KIBANASERVER_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
Update the
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.ymlconfiguration file with the new wazuh-wui password generated in the second step.hosts: - default: url: https://127.0.0.1 port: 55000 username: wazuh-wui password: "<WAZUH_WUI_PASSWORD>" run_as: false
Restart the Wazuh dashboard to apply the changes.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Next steps
All the Wazuh central components are successfully installed and secured.
The Wazuh environment is now ready, and you can proceed with installing the Wazuh agent on the endpoints to be monitored. To perform this action, see the Wazuh agent section.
If you want to uninstall the Wazuh dashboard, see Uninstall the Wazuh dashboard.