The Wazuh server is in charge of analyzing the data received from the Wazuh agents, triggering alerts when threats or anomalies are detected. It is also used to manage the agents' configuration remotely and to monitor their status. If you want to learn more about Wazuh components, check the Getting started section.
You can install the Wazuh server on a single host. Alternatively, you can install it distributed in multiple nodes in a cluster configuration. Multi-node configurations provide high availability and improved performance. And if combined with a network load balancer an efficient use of its capacity can be achieved.
Check the requirements below and choose an installation method to start installing the Wazuh server.
Wazuh installation assistant: Install this component by running an assistant that automates the installation and configuration process.
Step-by-step installation: Install this component following detailed step-by-step instructions.
Check the supported operating systems and the recommended hardware requirements for the Wazuh server installation. Make sure that your system environment meets all requirements and that you have root user privileges.
Wazuh can be installed on a 64-bit Linux operating system. Wazuh supports the following operating system versions:
Amazon Linux 2
CentOS 7, 8
Red Hat Enterprise Linux 7, 8, 9
Ubuntu 16.04, 18.04, 20.04, 22.04
The Wazuh server can be installed as a single-node or as a multi-node cluster.
Disk space requirements
The amount of data depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a Wazuh server, depending on the type of monitored endpoints.
APSStorage in Wazuh Manager(GB/90 days)
For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the Wazuh server for 90 days of alerts is 6 GB.
To determine if a Wazuh server requires more resources, monitor these files:
/var/ossec/var/run/wazuh-analysisd.state: the variable
events_droppedindicates whether events are being dropped due to lack of resources.
/var/ossec/var/run/wazuh-remoted.state: the variable
discarded_countindicates if messages from the agents were discarded.
These two variables should be zero if the environment is working properly. If it is not the case, additional nodes can be added to the cluster.