The Latest
No comments

Wazuh Server Installation: 7 Essential Steps for a Complete Setup

Mitrev

If you’re looking for a complete wazuh server installation guide, you’ve come to the right place. Ever tried setting up a Wazuh server and ended up with a headache? You’re not alone! After spending countless hours figuring this out myself, I’ve decided to share my experience and create this wazuh server installation walkthrough that actually works. Whether you’re securing a homelab or rolling out enterprise-grade SIEM, this comprehensive wazuh server installation guide has you covered.

TL;DR: Wazuh Server Installation Overview

This wazuh server installation guide covers the full all-in-one deployment — Wazuh indexer, Wazuh server, and Wazuh dashboard — on a single Ubuntu machine. We’ll cover everything from system requirements to troubleshooting common wazuh server installation hiccups, so you can get your security monitoring up and running with confidence.

Prerequisites for Wazuh Server Installation

Before we dive in, make sure you’ve got the following ready. Wazuh is surprisingly lightweight for what it does, but you still need a decent machine to run all three components comfortably.

  • A Linux server — I used Ubuntu 22.04 LTS for this guide, but Ubuntu 24.04 LTS works just as well. Debian 11/12 is also supported. Avoid older releases like Ubuntu 20.04 — Wazuh 4.x requires modern GLIBC versions.
  • Minimum 4GB RAM — This is the bare minimum for the all-in-one deployment. For production environments with more than a handful of agents, go with 8GB or 16GB. The Wazuh indexer (based on OpenSearch) is the hungriest component.
  • At least 50GB storage space — Your logs and alerts accumulate quickly. For production, plan for 100GB+ and consider separate data volumes for the indexer.
  • 2-4 CPU cores — The Wazuh server and indexer both benefit from multi-core setups. A modern dual-core will work for testing; quad-core is recommended for ongoing use.
  • Root or sudo access — You’ll be installing system packages, adding repositories, and configuring services. Standard user privileges won’t cut it here.
  • Basic command line knowledge — If you’re comfortable with cd, ls, and sudo, you’re golden. If not, check out our Nmap Quick Start Guide for some terminal practice first.
  • Ports 443, 1514-1516, 55000, and 9200 open — The Wazuh dashboard uses 443, agents connect on 1514-1516, the API uses 55000, and the indexer listens on 9200. Make sure your firewall isn’t blocking these.
  • Coffee ☕ — Trust me, you’ll need it while the packages download!

Wazuh Server Installation: Understanding the Architecture

Before we start typing commands, it helps to understand what you’re actually installing. Every wazuh server installation consists of three core components that work together:

  • Wazuh Indexer — A highly scalable, full-text search engine based on OpenSearch. This is where all your security events, alerts, and logs get indexed and stored. Think of it as the database layer that powers all your searches and dashboards.
  • Wazuh Server — The analytical brain of the operation. It receives data from Wazuh agents, runs the analysis engine (decoders and rules), and generates alerts. The server also manages agent connectivity and configuration deployment.
  • Wazuh Dashboard — The web-based user interface built on OpenSearch Dashboards. This is where you’ll visualize security events, create custom dashboards, manage rules, and generate reports. It runs on port 443 by default and includes built-in security features like single sign-on and RBAC.

In this wazuh server installation guide, we’re deploying all three on a single machine (the all-in-one configuration). For larger production environments, you’d split these across multiple servers, but for most small-to-medium setups, all-in-one works perfectly fine.

Step 1: Preparing Your System for Wazuh Server Installation

First things first, let’s update our system. This ensures we have the latest package lists and security patches before we start adding third-party repositories. Open your terminal and run:

sudo apt-get update
sudo apt-get upgrade -y

Pro tip: Sometimes the upgrade command might hang — if that happens, just hit Ctrl+C and run it again. Works like a charm! After the upgrade completes, I also recommend rebooting if the kernel got updated. A quick sudo reboot now can save you headaches later.

Once your server is back up, verify the hostname and time zone are correct. Wazuh relies on accurate timestamps for correlation:

hostnamectl
timedatectl

If the time zone is wrong, fix it with sudo timedatectl set-timezone UTC (or your local equivalent). Accurate time is non-negotiable for security event correlation.

Step 2: Installing Dependencies

Wazuh needs some friends to work properly. Let’s get them installed. Before starting the actual wazuh server installation, these packages provide essential tools for downloading files, managing repositories, and handling cryptographic keys:

sudo apt-get install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

I once forgot to install gnupg2 and spent 2 hours debugging why the GPG key import failed. Don’t be like me! If you see any errors about missing dependencies, run sudo apt --fix-broken install to resolve them before proceeding.

While we’re at it, let’s also verify Java isn’t already conflicting — the Wazuh indexer bundles its own Java runtime, so a pre-installed OpenJDK can sometimes cause port conflicts:

java -version 2>/dev/null || echo "No Java detected — perfect"

Step 3: Adding the Wazuh Repository

Now comes the interesting part. We need to add Wazuh’s official APT repository to our system. This gives us access to the latest stable releases and keeps everything updateable via apt-get upgrade:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list

Let’s break down what these commands do. First, we download the Wazuh GPG signing key and import it into a dedicated keyring file. The chmod 644 ensures the keyring is readable by all legitimate package operations. Then we add a new APT source entry that points to Wazuh’s package repository, signed by that key. This is a standard security pattern — only packages signed by Wazuh’s private key will be installable through this repository.

If you get a “keyserver not found” error, you can download the key manually from the official Wazuh installation guide and place it in the correct location.

Step 4: Installing the Wazuh Indexer

The Wazuh indexer is the first component we need to install — the server and dashboard depend on it. Run the following to refresh your package list and install the indexer:

sudo apt-get update
sudo apt-get install wazuh-indexer

After installation, we need to configure the indexer. Generate a random admin password and configure the security settings:

sudo /usr/share/wazuh-indexer/bin/indexer-security-init.sh

This script initializes the internal users, roles, and permissions. It creates the default admin user and sets up TLS certificates for encrypted communication. Hang tight — this can take a minute or two on slower hardware.

Once complete, start and enable the indexer:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer
sudo systemctl start wazuh-indexer

Step 5: Installing the Wazuh Server

The Wazuh server (also called the Wazuh manager) is the engine that processes all security events. This is the core of your wazuh server installation. Install it with:

sudo apt-get install wazuh-manager

The installation will automatically set up the manager service, create the default rules and decoders, and configure the necessary filebeat shipper to forward events to the indexer. You’ll see the service start output in the terminal — watch for any red error messages.

After the installation finishes, configure Filebeat (which ships Wazuh alerts to the indexer):

sudo filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat setup
sudo systemctl enable filebeat
sudo systemctl start filebeat

The setup command installs the default index templates and dashboards. This step is crucial for a successful wazuh server installation. If you see connection errors here, double-check that the Wazuh indexer is running and listening on port 9200 with sudo systemctl status wazuh-indexer.

Step 6: Installing the Wazuh Dashboard

The dashboard gives you the pretty web interface. Install it with:

sudo apt-get install wazuh-dashboard

Once installed, configure it to connect to your indexer. Edit the configuration file:

sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml

Find the opensearch.hosts line and make sure it points to your server’s IP on port 9200:

opensearch.hosts: ["https://127.0.0.1:9200"]

Then start the dashboard service:

sudo systemctl enable wazuh-dashboard
sudo systemctl start wazuh-dashboard

After a minute or two, you should be able to reach the Wazuh dashboard by navigating to https://your-server-ip in your browser. Accept the self-signed certificate warning (we’ll cover proper TLS certificates in a future guide) and log in with admin and the password you set during indexer initialization.

Step 7: Verifying the Installation

Let’s make sure everything’s running smoothly. Check all three services:

sudo systemctl status wazuh-indexer
sudo systemctl status wazuh-manager
sudo systemctl status wazuh-dashboard

If you see “active (running)” for all three — congratulations! Your Wazuh server is fully operational. Let’s also verify the indexer cluster health:

curl -k -u admin:your-password https://localhost:9200/_cluster/health?pretty

You should see "status" : "green" or "status" : "yellow". Green means all shards are allocated — perfect. Yellow means some replica shards aren’t allocated yet (normal for a single-node cluster). Red would indicate a problem.

Finally, check that agents can connect by reviewing the manager logs:

sudo tail -f /var/ossec/logs/ossec.log

For more terminal tools to complement your security monitoring setup, check out our fzf tutorial — it’ll make log file navigation a breeze.

Common Wazuh Server Installation Issues

Problem 1: Port 1514 Already in Use

This happened to me twice during my own wazuh server installation! Some other service (like an old OSSEC installation or a custom syslog listener) might already be using port 1514. Check what’s holding the port:

sudo netstat -tulpn | grep 1514
sudo ss -tulpn | grep 1514

If you find a conflicting service, either stop it (sudo systemctl stop [service]) or reconfigure Wazuh to use a different port in /var/ossec/etc/ossec.conf.

Problem 2: Service Won’t Start

Usually, this is because of insufficient memory. Check your available RAM:

free -m

If you’re below 2GB available, time to close some Chrome tabs! 😅 On a server, you can add swap space as a temporary workaround:

sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

Problem 3: Dashboard Returns a Blank Page or 503 Error

This usually means the dashboard can’t reach the indexer. Check the dashboard logs:

sudo journalctl -u wazuh-dashboard --no-pager -n 50

Most often, the issue is a TLS/SSL mismatch. Make sure the CA certificate used by the indexer is trusted by the dashboard. The all-in-one install usually handles this automatically, but if you installed components separately, you may need to copy the root CA from /etc/wazuh-indexer/certs/ to the dashboard’s certificate directory.

Best Practices for a Reliable Wazuh Server Installation

  • Always backup your configuration files — Before making changes, copy /var/ossec/etc/ossec.conf and /etc/wazuh-indexer/opensearch.yml to a safe location. cp /var/ossec/etc/ossec.conf ~/ossec.conf.backup takes two seconds and can save your day.
  • Monitor your logs regularly — The Wazuh dashboard gives you real-time alerts, but also check the system logs. Set up email notifications for critical severity alerts so you never miss a breach attempt.
  • Keep your system updated — Wazuh releases new versions frequently with security patches and new decoders. Set a monthly reminder to run sudo apt-get update && sudo apt-get upgrade.
  • Don’t forget to configure your firewall — Restrict dashboard access (port 443/55000) to your management IP range. Agent ports (1514-1516) should only be accessible from agent subnets. Never expose the indexer port (9200) to the internet.
  • Use strong passwords — Change the default admin password immediately. The Wazuh dashboard supports SSO integration with LDAP/Active Directory — worth setting up for teams.
  • Start with the baseline ruleset — Wazuh ships with hundreds of pre-built rules. Enable them gradually rather than turning everything on at once to avoid alert fatigue.

Wazuh vs. Other SIEM Solutions

You might be wondering why you’d choose Wazuh over alternatives like Splunk, ELK Stack, or Graylog. The answer is simple: Wazuh is 100% free and open-source with no feature limitations or data caps. Splunk’s free tier limits you to 500MB/day — Wazuh has no such restrictions. And unlike vanilla ELK, Wazuh comes with pre-built security rules, file integrity monitoring, vulnerability detection, and regulatory compliance features (PCI DSS, HIPAA, GDPR) out of the box. For the full breakdown of what Wazuh can do, check the official Wazuh documentation.

Wazuh Server Installation: Final Thoughts

This wazuh server installation doesn’t have to be a nightmare. With this guide, you’ve deployed a full SIEM/XDR platform — Wazuh indexer, server, and dashboard — on a single Ubuntu machine. You now have the power to monitor security events across your entire infrastructure, detect intrusions in real-time, and maintain compliance with industry standards. While this wazuh server installation guide covers the basics, remember that security is an ongoing process. Keep learning, keep updating, and most importantly, keep your systems secure!

Next Steps

  • Configure Wazuh agents — Deploy agents on your Linux and Windows endpoints to start collecting security data. The agent installation is dead simple: one command per machine.
  • Set up vulnerability detection — Wazuh can scan your registered agents for known CVEs by correlating package versions against the National Vulnerability Database.
  • Implement custom rules — Write your own decoders and rules to detect application-specific threats. Wazuh’s rule syntax is XML-based and surprisingly intuitive.
  • Configure email notifications — Set up SMTP integration so you receive instant alerts when critical security events are triggered.
  • Integrate with your existing tools — Wazuh plays nicely with TheHive, Shuffle, and other SOAR platforms for automated incident response.

Did this guide help you? Let me know in the comments below! And don’t forget to share your own Wazuh experiences — we’re all learning here. If you run into any issues not covered in this guide, the Wazuh community is incredibly active and helpful on both GitHub and their official documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *