Wazuh SIEM Installation — Part 2

10 min readOct 30


Hi Friends!!. Welcome back to my blog. It feels good to meet you all in another blog in our blue team series. Hope you are all doing good. With this intro, lets start doing what we are good at!!!. Its time for Highlights..

Blog Index:

content : Technical

Sub category: Installation— Part 2

Proficiency : Beginner

Target audience : Blue teamers and InfoSec analyst who needs exposure in blue team activities

Series : Blue team Series

Reference: wazuh overview — PART 1


If you are new to our blog, we are in our second episode in a blue team series, if you want to get an idea on what is wazuh?, please do check the above reference section to check our previous episode.

Now, Lets start this part 2 of installing wazuh in our usual way.

we need to have three main essentials to perform a proof of concept on wazuh.

  1. Installation environment — Host machine/VMs/Docker/K8s/cloud environment
  2. Wazuh installers
  3. Documentation — for reference to complete the installation

Lets ask our friend, to take us to the wazuh website to fetch the wazuh documentation and installers to proceed with the POC. Come on lets start, if you are planning to perform the installation with me, then join with me

ok google………….. can you take me to the wazuh main page.

OOPS!!. First we need to get our installation medium ready. Wazuh can be installed in below environments.

For this blog, we will use Virtual machine and slowly we will cover the docker, K8s and other installation in the following blogs. We are using VMware Workstation 16 and Ubuntu 23.10.x as a virtual image.

Lets setup the VM as shown below. As we are setting up a distributed mode wazuh architecture. We need three VMs for Wazuh server, wazuh indexer and wazuh dashboard.

Note: Wazuh has two deployment modes. One is All in one host deployment and second is distributed deployment, where wazuh components are installed in a separate machine and speak with each other.

wazuh indexer —

wazuh server —

wazuh dashboard —

There is an important point to be noted, which is wazuh central components supports single node(1 server, 1 indexer and 1 dashboard) and multi node(2 or more server, 2 or more indexer and 1 dashboard) setup. We will make single node installation for this blog.

Now, google should be happy by now as we have our installation environment ready now. Lets traverse to the wazuh website and follow the documentation for installation. When it come to wazuh installation, we can install it in two ways as shown below

In Wazuh installation assistant mode, a wazuh installer will assist us through the installation — we will be using this mode.

In Step-by-step installation mode, we have to manually download the resources and perform the installation.

Wazuh-indexer( 1 of 3 )

Lets start the installation for Wazuh indexer, login to the indexer VM and execute the below commands to download the installation assistant and config.yaml file

curl -sO https://packages.wazuh.com/4.5/wazuh-install.sh && curl -sO https://packages.wazuh.com/4.5/config.yml

Now, we need to edit the config.yml to configure the VMs ipaddress for interoperability. If you are planning to setup a multinode wazuh setup, then you can add all the managers/indexers hostnames and ipaddresses in this config file. lets do a nano config.yml

nano config.yml — single node installation config

Lets generate the config files which contains the cluster key, certs and passwords by running ./wazuh-install.sh — generate-config-files

generated configuration file


Additional information: If we are using a OS which is not recommended we can see an error stating that our OS version is not recommended, but we can still force the installation by adding an “ignore-check” tag, as shown below

Ignoring OS check


we can now see the newly created tar file with config details. This is the important file which should be placed in all the VMs where we have our wazuh central components server, indexer and dashboard installed.

Now, as the initial configuration is done, we will move to the wazuh indexer installation.

“ — — ignore-check” should be included throughout the installation procedure, if you are using OS images which are not recommended by wazuh. If you are using ubuntu 22 or other OS images which are recommended, then there is no need to add ignore check tag.

indexer installation completed
cluster initialization

Whooo!!! whoooo….. yes, Wazuh indexer installation completed. But its good to check if it is properly installed. But before checking it, we might need the credentials to access the indexer API via CURL. The credentials can be acquired from the generated configuration file(.tar file generated)

tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P “\’admin\’” -A 1
Accessing the indexer cluster

Now, we are done with the Wazuh-indexer installation. We are going to kickstart our next buddy named wazuh-server.

If you think you need some break, grab a coffee and resume the installation. A little treat is very good, becoz u did a great job in installing the wazuh-indexer cluster, we are 30 percent done with the whole setup

Welcome back!!!!. So far we have done installing wazuh indexer in a ubuntu VM and as a next step we going to install wazuh server in another ubuntu VM

Wazuh-Server ( 2 of 3 )

Do you remember, during our initial configuration we generated a .tar file. That file should be copied and placed in the wazuh server VM as it contains the wazuh central components configuration details.

How we can transfer the files to the VM? Best thing we can do is setup SSH server on all the VMs and SCP the files between VMs. Find below the quicknotes on how to do it

SSH server installation
firewall configuration

Now, lets transfer the wazuh-install-files.tar file from Wazuh indexer VM to Wazuh server VM

SCP file transfer between VMs

We can check, whether we have received the file in wazuh server

Config file transferred in Wazuh server

Its time to get the installation started, lets download the installer assistant

installer download

Proceeding with the installation by executing the wazuh installer with the wazuh-server tag followed by the wazuh server node name

sudo ./wazuh-install.sh — — wazuh-server <wazuh server node name>

Do you want a surprise!!! Yes, you guessed it right!!. We are done with the wazuh server installation.

Lets keep the excitement level lower and quickly proceed with the wazuh-dashboard installation, so that we can complete the wazuh central components installation.

Wazuh-Dashboard( 3 of 3 )

To start the Wazuh- Dashboard installation, we need the configuration file which is wazuh-intall-files.tar file as said earlier on the wazuh dashboard VM.

SCP transferring the config file

The steps are same as wazuh server. We need the wazuh installation file and then we need to execute the installation assistant with wazuh-dashboard tag followed by the wazuh dashboard node name as shown below

Wazuh dashboard installation success


Additional information: if you are facing any issues, with the installation mainly “ERROR: Connection to the dashboard failed”. Don't panic! I have a solution, as we are installing wazuh in a distributed architecture three components in three different servers, they need to speak with each other. So we need to give them a way to speak with each other.

Note: we can view the installation logs under /var/log/wazuh-install.log

We should allow 9200, 55000 and 443 port communication between three servers to interact with each other. Do “Sudo ufw allow <port>” on all the servers and then rerun the wazuh-dashboard installation, you will succeed.


Back to our installation, we got the wazuh-dashboard installation completed where we could able to see the URL and credentials to access the dashboard.

What we are waiting for? Lets kick the Firefox open and launch the dashboard

Ignore the below cert alert, we will deploy certificates once we are planning to deploy this setup in pre-prod like environment after completing the POC.

Access the dashboard, with the credentials displayed in the installation console output or we can extract the credentials from the wazuh-install-files.tar file using the below command

tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P “\’admin\’” -A 1

After logging in, we could see the wazuh dashboard showing information on Agents and other wazuh capabilities tiles.

Big Kudos to you. You have successfully earned a badge for completing the wazuh central components installation. Claim you batch below…..

You earned your badge

Now, we have the core system ready, which stores, indexes, process, analyze and display the logs/alerts for us. Now we need a collector module to fetch the logs from all the servers which are chosen to be monitored.

Let me introduce the collector module, who does the above discussed job for us and he is “WAZUH AGENT”


Agent installation is pretty easy and straight forward. Before fetching the wazuh agent installer, we will install the GPC key , repository and update the package information for wazuh agent.

Now, lets download the wazuh-agent and enroll the agent to the manager/server to establish the connection between agent and server, so that the agent forwards all the logs to the server to analyze.

WAZUH_MANAGER=”<wazuh-server ip address>" apt-get install wazuh-agent

Lets start the agent service

We can also use the wazuh dashboard to help us installing the agent. click on the agent hyperlink and fill the form, after which wazuh dashboard will show us the command which should be used to install the agent

Once the agent service are started, when you reload the dashboard you can see the connected agents count as shown in the below screenshots

Whoaoo!!! Whoooaa……. Now you have successfully completed setting up the wazuh architecture in your home lab and earned an another badge.

You are awesome mate!!!!

Let me give a quick closure notes before completing this blog. So what have we seen in this blog?

We have performed the below tasks.

1. Home lab setup using VMware Workstation

2. Wazuh central components in a distributed mode

a. Wazuh Indexer installation

b. Wazuh server installation

c. Wazuh Dashboard installation

3. Wazuh Agent installation

There are many ways to install the wazuh for example all-in-one installation, where all server, indexer and dashboard are installed in a single systems. But this kind of installation is only for Demo/POC purpose. That's why we have covered the Distributed mode, by installing each wazuh components in a different servers to mimic the simple production like environment.

If you successfully completed the installation using this blog and found it useful, don't hesitate to hit the clap and follow button.

Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=jayaraman-m-358425166




I am Jayaraman M, a passionate information security Analyst/Penetration Tester/Red Teamer who thrives hard to achieve greater heights in the cyber security.