Splunk app for Wazuh

Wazuh app for Splunk offers a UI to visualize Wazuh alerts and Wazuh API data. Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.


  1. Download the latest Splunk app for Wazuh:
curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/v3.7.1_7.2.1.tar.gz
  1. Install the Splunk app for Wazuh:

The app uses the /SplunkAppForWazuh/default/indexes.conf file to create an index named ‘wazuh’ and /SplunkAppForWazuh/default/inputs.conf file to listen to forwarded data on port 9997.

  1. CLI mode:
# /opt/splunk/bin/splunk install app SplunkAppForWazuh.tar.gz
# /opt/splunk/bin/splunk restart
  1. Web GUI:
Apps -> Manage apps -> Install app from file
  1. Open Splunk in your desired browser and click on the Wazuh app icon:
  1. The app will redirect you to the Settings tab, where you need to fill in the form with your Wazuh API credentials. Use the URL and port from your Wazuh API server.

By default, the API port is 55000. The default username and password is foo:bar.


You can get more information about how to set up the credentials at Securing the Wazuh API.

Now that you’ve finished installing Splunk app for Wazuh, you can setup forwarders following the next page.