Wazuh indexer

The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. If you want to learn more about Wazuh components, check the Getting started section.

You can install the Wazuh indexer on a single host. Alternatively, you can install it distributed in multiple nodes, in a cluster configuration. This provides scalability, high availability, and improved performance.

Check the requirements below and choose an installation method to start installing the Wazuh indexer.

Requirements

Check the supported operating systems and the recommended hardware requirements for the Wazuh indexer installation. Make sure that your system environment meets all requirements and that you have root user privileges.

Hardware recommendations

The Wazuh indexer can be installed as a single-node or as a multi-node cluster.

  • Hardware recommendations for each node

    Minimum

    Recommended

    Component

    RAM (GB)

    CPU (cores)

    RAM (GB)

    CPU (cores)

    Wazuh indexer

    4

    2

    16

    8

  • Disk space requirements

    The amount of data depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a Wazuh indexer server, depending on the type of monitored endpoints.

    Monitored endpoints

    APS

    Storage in Wazuh indexer
    (GB/90 days)

    Servers

    0.25

    3.7

    Workstations

    0.1

    1.5

    Network devices

    0.5

    7.4

    For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the Wazuh indexer server for 90 days of alerts is 230 GB.