Wazuh indexer setup:

First of all ssh into the wazuh-indexer instance & follow the steps

Use root user for this setup to remove any unwanted issue

The installation process is divided into three stages.

1) Wazuh server node installation 2) Cluster configuration for multi-node deployment

You need root user privileges to run all the commands described below.

  1. Wazuh server node installation

Adding the Wazuh repository 

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

Installing the Wazuh manager:

    apt-get -y install wazuh-manager

Installing Filebeat

    apt-get -y install filebeat

Configuring Filebeat:

  1. Download the preconfigured Filebeat configuration file. And edit the /etc/filebeat/filebeat.yml

    curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml
    vi /etc/filebeat/filebeat.yml

    hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer address accordingly.

    If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]

hosts: ["192.168.0.100:9200"]

  1. Create a Filebeat keystore to securely store authentication credentials.

    filebeat keystore create

  2. Add the default username and password admin:admin to the secrets keystore.

    echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force

  3. Download the alerts template for the Wazuh indexer.

    curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

  4. Install the Wazuh module for Filebeat.

    curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

Deploying certificates:

Make sure that a copy of the wazuh-certificates.tar file, created during the initial configuration step, is placed in your working directory.

  1. Replace with your Wazuh server node certificate name, the same one used in config.yml when creating the certificates. Then, move the certificates to their corresponding location. 
export NODE_NAME=<SERVER_NODE_NAME>

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Configuring the Wazuh indexer connection:

You can skip this step if you are not going to use the vulnerability detection capability.

echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
  1. Edit /var/ossec/etc/ossec.conf to configure the indexer connection.

By default, the indexer settings have one host configured. It’s set to 0.0.0.0.

Replace 0.0.0.0 with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.

Ensure the Filebeat certificate and key name match the certificate files in /etc/filebeat/certs.

  1. Starting the Wazuh manager: 
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager
  1. Starting the Filebeat service: 
    systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
  2. test filebeat 
    filebeat test output

    Output:
 elasticsearch: https://192.168.0.100:9200...
 parse url... OK
 connection...
     parse host... OK
     dns lookup... OK
     addresses: 127.0.0.1
     dial up... OK
 TLS...
     security: server's certificate chain verification is enabled
     handshake... OK
     TLS version: TLSv1.3
     dial up... OK
 talk to server... OK
 version: 7.10.2

© 2025 Jatin Sharma. All rights reserved.