Wazuh dashboard settings

The Wazuh dashboard includes a configuration file located at /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml where you can define custom values for several options. This section describes all the settings available in this file.

The configuration file shows the default values for all of the possible options. You can edit this file, uncomment any of them, and apply the desired values. You can edit these settings from the Wazuh dashboard in Dashboard management > App Settings > Configuration.

The configuration file reference is organized into sections:

  • General options

    • pattern

    • timeout

    • ip.selector

    • ip.ignore

    • logs.level

    • hideManagerAlerts

    • alerts.sample.prefix

    • enrollment.dns

    • enrollment.password

    • cron.prefix

  • Monitoring

    • wazuh.monitoring.enabled

    • wazuh.monitoring.frequency

    • wazuh.monitoring.pattern

    • wazuh.monitoring.creation

  • Health check

    • checks.pattern

    • checks.template

    • checks.api

    • checks.setup

    • checks.fields

    • checks.metaFields

    • checks.timeFilter

    • checks.maxBuckets

  • Advanced index options

    • wazuh.monitoring.shards

    • wazuh.monitoring.replicas

  • Cron statistics

    • cron.statistics.status

    • cron.statistics.apis

    • cron.statistics.interval

    • cron.statistics.index.name

    • cron.statistics.index.creation

    • cron.statistics.shards

    • cron.statistics.index.replicas

General

hosts

Defines the list of APIs to connect with your Wazuh managers.

hosts:
    - <host_id/host_name>:
        url: http(s)://<WAZUH_MANAGER_IP>
        port: <port>
        username: <username>
        password: <password>

Note

It is required to specify at least one host.

This is an example of a multi-host configuration:

hosts:
    - wazuh_prod:
        url: https://wazuh.com
        port: 55000
        username: wazuh-wui
        password: secret_password
        run_as: false
    - wazuh_test:
        url: https://localhost
        port: 55000
        username: wazuh-wui
        password: wazuh-wui
        run_as: false

The following table shows the configuration options for the Wazuh dashboard:

Configuration name

Description

Default value

Allowed values

General options

pattern

The property defines the default index pattern to use on the Wazuh dashboard. If there is no valid index pattern specified, the Wazuh dashboard automatically creates one with the name indicated in this option.

wazuh-alerts-*

Any valid index pattern

timeout

This property defines the maximum time (in milliseconds) the Wazuh dashboard will wait for an API response when making requests to it. Setting a value under 1500 milliseconds will be ignored and the dashboard will use the default value instead.

20000

Any number starting from 1500

ip.selector

This property defines if a user can change the selected index pattern directly from the top menu bar on the Wazuh dashboard WUI.

true

true, false

ip.ignore

This property is used to disable certain index pattern names from being available in the index pattern selector on the Wazuh dashboard. An empty list (the default value) won't ignore any valid index pattern.

[]

Array of strings. Eg: ["wazuh-archives-*"]

hideManagerAlerts

This property controls if the Wazuh manager alerts in the dashboard visualizations are visible or not. A value of false displays the Wazuh manager alerts on dashboard visualizations.

false

true, false

alerts.sample.prefix

This property defines the index name prefix of sample alerts. It must match the template used by the index pattern to avoid unknown fields in dashboards.

wazuh-alerts-4.x-

Any valid index pattern

enrollment.dns

This property specifies the Wazuh registration server used for Wazuh agent enrollment.

' '

Any string

enrollment.password

This property specifies the password used to authenticate during the agent enrollment. enrollment.password takes a higher precedence over authd.pass agent enrollment password set on the Wazuh manager. When both values are set, the value of enrollment.password will be used instead.

' '

Any string

cron.prefix

This property defines the index prefix of predefined cron jobs. The predefined jobs are the statistics monitoring jobs.

wazuh

Any string

Monitoring

wazuh.monitoring.enabled

Enables or disables the wazuh-monitoring index creation and/or visualization:

  • When the value is set to true, the Wazuh dashboard will show the Agents connection states visualization and will insert monitoring-related data.

  • When the value is set to false, the Wazuh dashboard won't show the visualization and won't insert monitoring-related data.

True

Warning

The Wazuh dashboard user interface allows selecting either true or false option.

true,false

wazuh.monitoring.frequency

This property defines the frequency (in seconds) of API requests to get the state of the agents to create a new document in the wazuh-monitoring-* index with the returned data. Warning: Although the minimum value can be 60, we recommend adjusting it to at least 300 seconds to avoid overloading resources due to the excessive creation of documents into the index.

900

Warning

Although the minimum value can be 60, we recommend adjusting it to at least 300 seconds to avoid overloading resources due to the excessive creation of documents into the index.

Any number starting from 60

wazuh.monitoring.pattern

This property defines the index pattern to use for Wazuh dashboard monitoring tasks. This setting does not remove any existing patterns or templates, it only updates the Wazuh dashboard to add new ones.

wazuh-monitoring-*

Any valid index pattern

wazuh.monitoring.creation

This property configures wazuh-monitoring-* indices custom creation interval.

w

h (hourly), d (daily), w (weekly), m (monthly)

Health checks

checks.pattern

This property enables or disables the index pattern health check when opening the Wazuh dashboard. If set to false, index patterns will not be checked during the Wazuh healthcheck.

true

true, false

checks.template

This property enables or disables the template health check when opening the Wazuh dashboard. It checks to see if the defined index has a valid template. Set this value to false if you do not want the index template to be validated when opening the Wazuh dashboard.

true

true, false

checks.api

This property enables or disables the Wazuh server API health check when opening the Wazuh dashboard. Set the value of this property to false if you do not require this check when opening the dashboard.

true

true, false

checks.setup

This property enables or disables the setup health check when opening the Wazuh dashboard. It checks that the Wazuh server version is compatible with the plugin version. Setting this value to false might cause the dashboard to fail if there is a compatibility issue between the dashboard plugins and Wazuh server.

true

true, false

checks.fields

This property enables or disables the known fields health check when opening the Wazuh dashboard. Known fields refer to the fields in your indexed documents that the indexer has identified, mapped, and available for querying.

true

true, false

checks.metaFields

Meta fields are special fields that provide additional metadata about indexed documents such as the _index and _id. This property enables or disables the metaFields health check when opening the Wazuh dashboard.

true

true, false

checks.timeFilter

This property enables or disables the timeFilter health check when opening the Wazuh dashboard. It checks to ensure a value is set for the dashboard time filter. The time filter is used to set the time range of data displayed on the dashboard.

true

true, false

checks.maxBuckets

This property enables or disables the maxBuckets health check when opening the Wazuh dashboard. It checks to ensure that the maximum number of buckets that a single aggregation request can create is at optimal levels. This helps to prevent excessive memory usage and potential out-of-memory errors.

true

true, false

Advanced index options

Warning

These options are only valid if they're modified before starting the Wazuh dashboard for the first time

You can read more about configuring the shards and replicas in Wazuh indexer tuning.

wazuh.monitoring.shards

This defines the number of shards to use for the wazuh-monitoring-* indices.

1

Any number starting from 1

wazuh.monitoring.replicas

This property defines the number of replicas to use for the wazuh-monitoring-* indices.

0

Any number starting from 0

Cron statistics

cron.statistics.status

This property enables or disables the statistics tasks. If enabled, it allows the statistics task to run, which is to fetch statistics information from the Wazuh server and index it in indexes.

true

true, false

cron.statistics.apis

Use this property to configure the IP of the hosts you want to save statistical data from and leave this empty to run the task on every host.

[ ]

Array of APIs

cron.statistics.interval

This defines the frequency of task execution using cron schedule expressions.

0 */5 * * * *

Any cron expressions

cron.statistics.index.name

This defines the name of the index in which the statistics documents will be saved.

statistics

Any valid index pattern

cron.statistics.index.creation

This property defines the interval in which a new index (as specified in the cron.statistics.index.name property) will be created. More frequent index creation can quickly fill up storage.

w

h (hourly), d (daily), w (weekly), m (monthly)

cron.statistics.shards

This property defines the number of shards to use for the statistics indices.

1

Any number starting from 1

cron.statistics.index.replicas

This property is used to define the number of replicas to use for the statistics indices. On default, no replicas are created for the statistics indices.

0

Any number starting from 0

Example

This is an example of the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration:

#General options

hosts:
    - env-1:
        url: https://env-1.example
        port: 55000
        username: wazuh-wui
        password: wazuh-wui
        run_as: true
    - env-2:
        url: https://env-2.example
        port: 55000
        username: wazuh-wui
        password: wazuh-wui
        run_as: true

pattern: 'wazuh-alerts-*'
timeout: 20000
ip.selector: true
ip.ignore: []
logs.level: info
hideManagerAlerts: true
alerts.sample.prefix: wazuh-alerts-4.x-

#Monitoring

wazuh.monitoring.enabled: true
wazuh.monitoring.frequency: 900
wazuh.monitoring.pattern: wazuh-monitoring-*
wazuh.monitoring.creation: w
wazuh.monitoring.shards: 1
wazuh.monitoring.replicas: 0

#Health checks

checks.pattern : true
checks.template: true
checks.fields  : true
checks.api     : true
checks.setup   : true
checks.metaFields: true
checks.timeFilter: true
checks.maxBuckets: true

#Custom branding

customization.enabled: true
customization.logo.app: 'custom/images/customization.logo.app.jpg'

customization.logo.healthcheck: 'custom/images/customization.logo.healthcheck.svg'
customization.logo.reports: 'custom/images/customization.logo.reports.jpg'
customization.reports.footer: '123 Custom footer Ave.\nSan Jose, CA 95148'
customization.reports.header: 'Custom Company\ninfo@custom.com\n@social_reference'

#Cron

cron.prefix: wazuh
cron.statistics.status: true
cron.statistics.apis: []
cron.statistics.interval: 0 */5 * * * *
cron.statistics.index.name: statistics
cron.statistics.index.creation: w

#Enrollment DNS

enrollment.dns: ''
enrollment.password: ''