The Complete Wazuh Installation and Deployment Guide

Modern organizations generate enormous volumes of security telemetry from endpoints, servers, cloud platforms, firewalls, applications, and network devices.

Without a centralized security platform, detecting threats, investigating incidents, and maintaining compliance quickly becomes difficult.

Wazuh has become one of the most popular open-source Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) platforms because it combines log analysis, endpoint security, vulnerability detection, file integrity monitoring, threat detection, compliance monitoring, and incident response into a single platform.

Unlike many commercial SIEM solutions that require expensive licensing, Wazuh provides enterprise-grade security monitoring while remaining fully open source.

It supports both small deployments with a handful of servers and large enterprise environments consisting of thousands of endpoints spread across multiple regions.

Whether you’re deploying Wazuh for the first time or designing a production-ready security monitoring platform, proper installation is the foundation for long-term stability, scalability, and performance.

Configuration mistakes made during deployment often lead to issues such as disconnected agents, dashboard failures, indexing problems, certificate errors, and high resource usage later.

This comprehensive Wazuh Installation Guide walks through every major deployment decision before you install your first component.

By the end of this guide, you’ll understand:

Which deployment model best fits your environment
The hardware and networking requirements for Wazuh
How the Wazuh architecture works internally
How to prepare servers before installation
Security best practices for production deployments
Common deployment pitfalls and how to avoid them

This guide is designed for:

Security Operations Center (SOC) analysts
System administrators
DevOps engineers
Platform engineers
Security engineers
IT infrastructure teams deploying centralized monitoring

Whether you’re installing Wazuh in a home lab, a corporate datacenter, Kubernetes, or the cloud, the deployment principles remain largely the same.

See our The Ultimate Wazuh Troubleshooting Guide: Fix Common Issues guide

Throughout this guide, we’ll also reference specialized installation tutorials for Windows agents, Linux endpoints, Docker deployments, indexer clustering, and agent upgrades so you can continue learning each topic in greater depth.

Prerequisites Before Installing Wazuh

Successful deployments begin long before the installation scripts are executed.

Planning your architecture, infrastructure, networking, and security requirements upfront significantly reduces deployment issues later.

Before installing Wazuh, determine:

Your deployment model
Expected number of monitored endpoints
Storage requirements
Network topology
High availability requirements
Certificate management strategy
Operating systems
Resource allocation

Organizations that invest time in deployment planning typically experience fewer operational problems after going live.

Overview of Deployment Options

Wazuh supports several deployment architectures depending on your environment, scale, and operational requirements.

Single-Node Deployment

A single-node installation runs every Wazuh component on one server:

Wazuh Manager
Wazuh Indexer
Wazuh Dashboard

This deployment is ideal for:

Home labs
Small businesses
Testing environments
Proof-of-concept deployments
Security training

Advantages include:

Easy installation
Minimal infrastructure
Lower hardware costs
Simplified maintenance

Limitations include:

Single point of failure
Limited scalability
Resource contention as endpoint counts grow

Most organizations begin with a single-node deployment before expanding into clustered architectures.

Multi-Node Production Deployment

Production environments often separate services across multiple servers.

A common architecture consists of:

Multiple Wazuh Managers
Multiple Wazuh Indexers
One or more Dashboard nodes
Load balancers
Dedicated storage

Benefits include:

Horizontal scalability
High availability
Better performance
Easier maintenance
Reduced downtime

Organizations monitoring hundreds or thousands of endpoints should strongly consider this deployment model.

Docker Deployment

Containerized deployments have become increasingly popular for development environments and cloud-native infrastructure.

Docker offers:

Faster installation
Easy upgrades
Consistent environments
Simplified rollback
Infrastructure as Code compatibility

However, Docker deployments introduce additional complexity around:

Persistent storage
Networking
Certificate management
Volume mapping
Resource allocation

Improper Docker configuration is one of the most common causes of deployment failures.

See our Fix Wazuh Docker Compose Deployment guide

Cloud and Virtual Machine Deployments

Many organizations deploy Wazuh on:

AWS
Microsoft Azure
Google Cloud Platform
VMware
Hyper-V
Proxmox
OpenStack

Virtualized deployments provide flexibility while simplifying backups, scaling, snapshots, and disaster recovery.

Cloud deployments should carefully account for:

Storage performance
Network latency
Security groups
Identity management
Backup policies

The Wazuh documentation includes deployment recommendations for multiple cloud platforms.

Understanding the Wazuh Architecture

Understanding how each Wazuh component interacts makes installation significantly easier and simplifies future troubleshooting.

Core Wazuh Components

A standard Wazuh deployment consists of four primary components.

Wazuh Server (Manager)

The Wazuh Manager acts as the central processing engine.

Its responsibilities include:

Receiving agent events
Rule evaluation
Threat detection
Active response
Decoding logs
Correlation
Compliance checks
Vulnerability analysis

Nearly every event collected by Wazuh passes through the Manager before being indexed.

Wazuh Indexer

The Wazuh Indexer stores security data using OpenSearch technology.

Its responsibilities include:

Event indexing
Search
Data retention
Aggregation
Fast querying
Historical analysis

Storage sizing is one of the most important planning considerations because security logs grow rapidly.

Wazuh Dashboard

The Dashboard provides the graphical interface used by analysts.

Users can:

Search alerts
Build dashboards
Investigate incidents
View compliance reports
Manage agents
Configure security settings

The Dashboard communicates with the Indexer rather than directly processing endpoint events.

Wazuh Agents

Agents run on monitored systems.

Supported operating systems include:

Windows
Linux
macOS

Agents collect:

Security logs
File changes
Process activity
System inventory
Vulnerabilities
Configuration assessments

The agent performs lightweight local monitoring before securely forwarding events to the Manager.

How the Components Communicate

Understanding communication paths helps diagnose deployment problems later.

Agent → Manager

Agents establish encrypted connections to the Wazuh Manager.

They transmit:

Event logs
Integrity monitoring events
Vulnerability information
Inventory data
Security alerts

The Manager authenticates each agent using registration keys and certificates.

Manager → Indexer

After events are analyzed and enriched, the Manager forwards them to the Wazuh Indexer.

The Indexer stores data for:

Searching
Dashboards
Reporting
Analytics

Dashboard → Indexer

The Dashboard retrieves indexed data directly from the Indexer.

This separation improves scalability and allows analysts to search large datasets efficiently.

Authentication and Certificates

Secure communication between components relies heavily on TLS certificates.

Certificates protect:

Agent communications
Manager APIs
Dashboard access
Cluster synchronization
Indexer nodes

Misconfigured certificates are among the most common deployment issues.

See our How to Fix Wazuh Certificate Errors guide

Choosing the Right Deployment Model

No single deployment architecture fits every organization.

Small Environments

Recommended for:

Fewer than 100 endpoints
Limited IT staff
Development environments

A single-node deployment is typically sufficient.

Medium Organizations

Organizations with several hundred endpoints often benefit from:

Dedicated Manager
Dedicated Indexer
Separate Dashboard

This separation improves performance while allowing future expansion.

Large Enterprise Clusters

Large deployments usually implement:

Multiple Manager nodes
Indexer clusters
Load balancing
Dedicated storage
Geographic redundancy

These deployments prioritize resilience and scalability.

High Availability Considerations

Production deployments should eliminate single points of failure wherever possible.

Common HA strategies include:

Multiple Managers
Indexer replication
Load balancers
Automated backups
Redundant networking
Snapshot recovery

Preparing for Installation

Preparation is often the difference between a deployment that succeeds in one afternoon and one that requires days of troubleshooting.

System Requirements

Hardware sizing depends primarily on:

Endpoint count
Event volume
Retention period
Active integrations

Organizations frequently underestimate storage growth, making capacity planning especially important.

Supported Operating Systems

Wazuh supports multiple Linux distributions, including:

Ubuntu
Debian
Red Hat Enterprise Linux
Rocky Linux
AlmaLinux
Oracle Linux

Agents additionally support:

Windows
macOS

Always verify operating system compatibility before deployment.

Wazuh Compatibility Matrix – https://documentation.wazuh.com/current/installation-guide/index.html

CPU Recommendations

General planning guidelines:

Small lab: 2–4 vCPUs
Medium deployment: 8+ vCPUs
Large production clusters: 16+ vCPUs per node depending on ingestion rate

Heavy indexing workloads generally require additional CPU capacity.

Memory Requirements

Memory requirements increase significantly as event volume grows.

Typical recommendations include:

Small deployment: 8 GB RAM
Medium deployment: 16–32 GB RAM
Large production clusters: 64 GB+ RAM

The Indexer typically consumes the largest share of available memory.

Disk Space Planning

Disk sizing depends on:

Number of endpoints
Daily event volume
Retention period
Compression ratio
Snapshot strategy

Planning only for today’s storage needs often results in expensive migrations later.

Network Requirements

Reliable networking is critical for stable communication between all Wazuh components.

Required Ports

Typical deployments require ports for:

Agent registration
Agent communication
Dashboard access
Indexer APIs
Cluster synchronization
REST API access

Restrict these ports to trusted networks whenever possible.

Firewall Configuration

Firewalls should permit only required communication paths.

Best practice includes:

Blocking unnecessary inbound traffic
Allowing only trusted management hosts
Limiting cluster communication
Restricting administrative interfaces

DNS Recommendations

Use consistent DNS records instead of hardcoded IP addresses whenever practical.

Benefits include:

Easier certificate management
Simplified failover
Reduced maintenance during infrastructure changes

Time Synchronization (NTP)

Accurate timestamps are essential for event correlation.

All Wazuh components should synchronize against reliable Network Time Protocol (NTP) servers to prevent misleading timelines during incident investigations.

Security Preparation

Installing security software securely is just as important as installing it correctly.

TLS Certificates

Deploy trusted TLS certificates for:

Dashboard
Manager
Indexer
APIs
Cluster communications

Avoid using self-signed certificates in long-term production environments whenever possible.

User Accounts

Create dedicated service accounts following the principle of least privilege.

Administrative access should be limited to authorized personnel and protected using strong authentication policies.

Hostname Planning

Decide on consistent naming conventions before installation.

Predictable hostnames simplify:

Certificate generation
Cluster expansion
Monitoring
Troubleshooting

Backup Strategy

Before production rollout, establish backup procedures for:

Configuration files
Certificates
Index snapshots
Agent registration keys
Dashboard settings

Regular backups dramatically reduce recovery time following hardware failures or configuration mistakes.

According to the U.S. National Institute of Standards and Technology (NIST), organizations should integrate backup and recovery planning into overall system security and resilience strategies rather than treating backups as an afterthought.

Expert Insight: The Wazuh engineering team consistently recommends separating production components, using TLS for all inter-component communication, and planning cluster architecture before onboarding large numbers of agents. These practices significantly reduce operational issues as deployments scale.

Installing the Wazuh Platform

Once you’ve planned your deployment architecture and prepared your infrastructure, you’re ready to install the core Wazuh platform.

Although the installation process varies slightly depending on whether you’re deploying a single server, a production cluster, or containers, every installation includes the same primary components:

Wazuh Manager
Wazuh Indexer
Wazuh Dashboard

For first-time users, a single-node deployment is the easiest way to become familiar with the platform before expanding into a clustered production environment.

Single-Node Installation

A single-node deployment installs every Wazuh component on one server.

This approach is ideal for:

Home labs
Development environments
Proof-of-concept deployments
Small organizations
Training environments

Because all services run on the same machine, installation is straightforward and requires fewer infrastructure resources.

A typical installation workflow looks like this:

Prepare the operating system.
Install the Wazuh Manager.
Install the Wazuh Indexer.
Install the Wazuh Dashboard.
Configure certificates and credentials.
Verify communication between all services.
Begin enrolling endpoints.

The official installation assistant automates much of this process, reducing manual configuration and minimizing deployment errors.

Installing the Manager

The Wazuh Manager is the central component responsible for processing security events received from monitored endpoints.

During installation, the Manager is configured to:

Accept agent registrations
Analyze incoming logs
Apply detection rules
Execute active responses
Forward processed events to the Indexer

After installation, administrators should verify that the manager service starts automatically and is listening on the expected ports.

It is also good practice to review the manager logs immediately after installation to identify configuration warnings before enrolling production systems.

Installing the Indexer

The Wazuh Indexer stores all processed security events and makes them searchable through OpenSearch.

During installation, you’ll typically configure:

Cluster name
Node name
Storage location
Heap memory allocation
TLS certificates
Administrative credentials

The Indexer generally consumes the most CPU, memory, and disk resources in a deployment, making proper resource allocation critical for long-term performance.

Administrators should confirm cluster health after installation before sending production traffic.

Installing the Dashboard

The Wazuh Dashboard provides the web interface used by analysts and administrators.

Installation typically includes configuring:

Dashboard service
Indexer connection
Authentication
TLS certificates
Administrative users

Once configured, the Dashboard should display the platform status, connected agents, and security alerts after data begins flowing into the Indexer.

If the Dashboard cannot connect to the Indexer, review authentication settings, certificates, and network connectivity before proceeding.

Initial Configuration

After all three core components are installed, perform several post-installation tasks before onboarding endpoints.

Recommended steps include:

Change default passwords
Verify TLS certificates
Configure administrator accounts
Enable automatic service startup
Review firewall rules
Configure backups
Synchronize system clocks
Test API access

Taking time to validate these settings now can prevent difficult troubleshooting later.

Verifying Installation

Before deploying agents, verify that every component is functioning correctly.

A basic validation checklist includes:

All Wazuh services are running
The Manager accepts API connections
The Indexer reports a healthy cluster
The Dashboard loads successfully
Security certificates are valid
No critical errors appear in service logs

You should also confirm that the Dashboard can retrieve data from the Indexer and that internal communication between services is functioning normally.

Production Deployment Considerations

Installing Wazuh is only the beginning.

As environments grow, architecture decisions have a significant impact on reliability and performance.

High Availability

Production environments should be designed to minimize downtime.

Common high-availability strategies include:

Multiple Wazuh Managers
Indexer clusters
Redundant Dashboard nodes
Load balancers
Redundant storage
Automated failover

Removing single points of failure ensures security monitoring continues even during hardware failures or maintenance windows.

Scaling Recommendations

Resource requirements increase as organizations add more monitored endpoints.

When planning growth, consider:

Number of endpoints
Daily log volume
Alert frequency
Vulnerability scans
Active response usage
Compliance reporting
Log retention policies

Rather than continually upgrading one large server, many organizations scale horizontally by adding additional Manager and Indexer nodes.

Storage Planning

Storage often becomes the first infrastructure bottleneck in mature Wazuh deployments.

Plan storage capacity around:

Daily event ingestion
Data retention period
Index replication
Snapshot storage
Future growth

Using fast SSD storage significantly improves indexing performance and dashboard responsiveness compared to traditional spinning disks.

Regular index lifecycle management also helps prevent excessive storage consumption.

Load Balancing

Large deployments frequently place load balancers in front of Manager nodes or Dashboard servers.

Benefits include:

Improved availability
Better resource utilization
Easier maintenance
Rolling upgrades
Session distribution

Load balancing also simplifies future expansion because additional nodes can be introduced with minimal disruption.

Expert Insight: Large enterprise SOCs often separate ingestion, indexing, and visualization onto dedicated servers instead of scaling a single machine. This architecture improves fault isolation and allows each layer to scale independently as log volume increases.

Deploying Wazuh Agents

Installing the Wazuh platform is only half of the deployment process.

To collect meaningful security data, monitored systems must run Wazuh Agents.

Agents act as sensors distributed throughout your infrastructure, continuously collecting telemetry and securely forwarding it to the Wazuh Manager.

Without agents, the platform has little visibility into endpoint activity.

Why Agents Are Important

Wazuh Agents provide deep visibility into operating system activity that cannot be obtained through network monitoring alone.

They enable:

Threat detection
Compliance monitoring
Asset inventory
Vulnerability assessment
Configuration monitoring
File integrity monitoring
Log collection

Each installed agent expands the organization’s ability to detect suspicious activity across its infrastructure.

Endpoint Visibility

Endpoints are often the first systems targeted during cyberattacks.

Wazuh Agents continuously monitor:

Running processes
User activity
System changes
Installed software
Operating system events

This visibility helps security teams identify malicious behavior before it spreads throughout the environment.

Log Collection

One of the primary responsibilities of the agent is collecting operating system and application logs.

Examples include:

Windows Event Logs
Linux Syslog
Apache logs
SSH authentication logs
Application logs
Firewall events
Custom log files

Centralizing logs allows analysts to investigate incidents from a single location.

Related Guides:

File Integrity Monitoring

File Integrity Monitoring (FIM) detects unauthorized modifications to important files.

Common monitoring targets include:

System binaries
Configuration files
Security policies
Registry keys (Windows)
Web application files

FIM helps identify ransomware activity, unauthorized configuration changes, and persistence mechanisms used by attackers.

Vulnerability Detection

Wazuh Agents collect software inventory information that enables vulnerability detection.

The platform can identify:

Missing security patches
Known CVEs
Outdated packages
Vulnerable software versions

This information allows security teams to prioritize remediation efforts based on actual exposure.

Supported Operating Systems

Wazuh provides native agents for the most commonly deployed enterprise operating systems.

Windows

The Windows agent supports:

Windows Server
Windows 10
Windows 11

It integrates with Windows Event Logs, Defender, Sysmon, and numerous security-related event providers.

Linux

Firstly, Linux agents support a wide range of enterprise distributions, including:

Ubuntu
Debian
Rocky Linux
AlmaLinux
Red Hat Enterprise Linux
Oracle Linux
SUSE Linux

Linux deployments are commonly used to monitor:

Servers
Containers
Cloud instances
Kubernetes worker nodes

macOS

The macOS agent provides monitoring capabilities for Apple endpoints, including:

File integrity monitoring
System inventory
Log collection
Security policy monitoring

This allows organizations to maintain consistent visibility across mixed operating system environments.

Related Guide

For step-by-step Windows deployment instructions, see:

How to Install a Wazuh Agent on Windows Server

Related Guide

For Linux onboarding and enrollment instructions, see:

How to Add Linux Endpoints to Wazuh

Managing Wazuh Agents

Deploying agents is only the beginning.

Ongoing management ensures that endpoints remain healthy, correctly configured, and capable of detecting new threats.

Agent Registration

Every endpoint must register with the Wazuh Manager before it begins sending security events.

Registration establishes:

Agent identity
Authentication
Encryption keys
Trust relationship

Administrators should periodically review registered agents to remove inactive or unauthorized systems.

Agent Groups

Agent Groups allow administrators to apply different configurations to different classes of systems.

Examples include:

Windows servers
Linux servers
Domain controllers
Web servers
Database servers
Cloud workloads
Development environments

Grouping simplifies large-scale policy management and reduces administrative overhead.

Policy Assignment

Different systems require different monitoring policies.

For example:

Database servers may require additional log collection.
Web servers may enable web application monitoring.
Domain controllers may collect advanced authentication events.
Production servers may enable stricter File Integrity Monitoring.

Assigning policies through Agent Groups makes configuration changes consistent across hundreds or thousands of systems.

Agent Health Monitoring

Administrators should continuously monitor agent health to identify:

Offline endpoints
Communication failures
High resource usage
Registration issues
Configuration errors
Outdated software

Monitoring dashboards and automated alerts help detect unhealthy agents before visibility is lost.

Updating Agents Safely

Keeping agents updated ensures access to:

Security patches
Performance improvements
New detection capabilities
Bug fixes
Compatibility updates

Before upgrading production agents:

Test upgrades in a staging environment.
Review release notes.
Verify version compatibility.
Schedule maintenance windows where appropriate.
Confirm successful communication after the upgrade.

Rolling upgrades are generally safer than updating every endpoint simultaneously, particularly in large enterprise environments.

Related Guide

For a complete walkthrough of safely upgrading existing endpoints, see:

How to Upgrade a Wazuh Agent

Expert Insight: Security teams managing thousands of endpoints often automate agent deployment, grouping, and upgrades using configuration management tools such as Ansible, Puppet, or Microsoft Intune. Automation reduces configuration drift while ensuring consistent security policies across the environment.

Building a Scalable Wazuh Environment

Many organizations begin with a single-node Wazuh deployment, but as infrastructure grows, so do the demands placed on the platform.

Increasing numbers of endpoints, higher log ingestion rates, longer data retention periods, and more concurrent analysts all place additional pressure on the Wazuh Indexer and Manager.

Designing for scalability from the outset makes future expansion significantly easier and reduces the risk of performance bottlenecks.

When You Need an Indexer Cluster

A standalone Indexer works well for small deployments, but there comes a point where clustering becomes necessary.

Consider deploying an Indexer cluster if you have:

Hundreds or thousands of monitored endpoints
High daily log ingestion volumes
Long-term log retention requirements
Multiple SOC analysts searching simultaneously
Strict uptime requirements
Regulatory compliance requiring redundant infrastructure

As your environment grows, distributing workloads across multiple Indexer nodes improves both performance and reliability.

Benefits of Clustering

An Indexer cluster offers several advantages over a single-node deployment.

High Availability

In a clustered environment, the failure of a single Indexer node does not necessarily interrupt security monitoring or dashboard access.

High availability helps organizations:

Reduce downtime
Improve service continuity
Perform maintenance without major outages
Continue investigations during hardware failures

This is especially important for organizations operating around the clock or supporting multiple business units.

Fault Tolerance

Clusters replicate data across multiple nodes.

If one node becomes unavailable due to hardware failure, software corruption, or network issues, replicated data remains accessible from other nodes.

Fault tolerance reduces the likelihood of data loss and simplifies disaster recovery.

Better Search Performance

Search queries are distributed across multiple nodes rather than relying on a single server.

Benefits include:

Faster dashboard loading
Lower query latency
Improved responsiveness
Better performance during incident investigations

Large historical searches particularly benefit from distributed indexing.

Horizontal Scalability

Instead of upgrading a single server indefinitely, clustered deployments allow organizations to scale horizontally by adding additional nodes.

Horizontal scaling offers several advantages:

Easier capacity expansion
Better resource utilization
Improved resilience
More predictable performance as log volumes increase

This approach aligns well with modern infrastructure practices and cloud deployments.

Cluster Planning

Before building an Indexer cluster, plan several architectural decisions carefully.

Consider:

Number of Indexer nodes
Expected storage growth
Replica configuration
Network bandwidth
Hardware consistency
Backup strategy
Cluster monitoring
Future expansion

Avoid designing a cluster solely for current requirements. Planning for expected growth over the next several years can reduce future migrations and infrastructure redesign.

Expert Insight: The OpenSearch project recommends deploying an odd number of cluster manager-eligible nodes (such as three) to maintain quorum and improve cluster stability during node failures or maintenance. This helps prevent split-brain scenarios and improves cluster resilience.

Deploying Wazuh with Docker

Containerized deployments have become increasingly popular because they simplify installation, automate configuration, and integrate well with modern DevOps workflows.

Docker allows administrators to deploy Wazuh quickly while maintaining consistent environments across development, testing, and production systems.

However, containerization also introduces operational considerations that differ from traditional package-based installations.

When Docker Makes Sense

Docker is particularly well suited for:

Development environments
Home labs
Testing upgrades
Continuous Integration (CI) pipelines
Proof-of-concept deployments
Infrastructure as Code (IaC)
Container-focused organizations

Containerized deployments make it easier to reproduce environments, automate provisioning, and standardize deployments across multiple teams.

For large enterprise production environments, many organizations still choose dedicated virtual machines or bare-metal servers to maximize performance and simplify long-term storage management.

Docker Deployment Overview

A typical Docker deployment includes containers for:

Wazuh Manager
Wazuh Indexer
Wazuh Dashboard

These containers communicate through Docker networking while using persistent volumes to retain:

Security events
Configuration files
Certificates
Cluster data
User settings

Most deployments are orchestrated using Docker Compose, allowing administrators to start or stop the entire platform with a single command.

Common Docker Challenges

Although Docker simplifies deployment, several common issues regularly affect new installations.

These include:

Incorrect volume mappings
Missing persistent storage
Certificate generation failures
Container networking problems
Resource limits that are too low
Permission errors
Docker Compose version mismatches
Service startup ordering

Many Dashboard and Indexer connectivity issues originate from networking or volume configuration rather than Wazuh itself.

Monitoring container logs during deployment can significantly reduce troubleshooting time.

Related Guide:

Fix Wazuh Docker Compose Deployment

Post-Installation Configuration

A successful installation is only the beginning.

Proper post-installation configuration ensures the platform collects meaningful security data, detects threats accurately, and remains reliable over time.

After deploying the core platform, work through the following configuration tasks before placing Wazuh into production.

Verify Agent Connectivity

The first validation step is confirming that endpoints successfully connect to the Wazuh Manager.

Check that:

Agents appear in the Dashboard
Agent status shows as active
Recent events are arriving
Registration completed successfully
No authentication errors appear in the logs

Offline agents should be investigated before continuing with additional configuration.

Configure Alerting

Alerts are only valuable if they reach the appropriate responders.

Configure alert delivery methods such as:

Email notifications
Webhooks
SIEM integrations
Collaboration platforms
Ticketing systems

Organizations should also review default detection rules to reduce unnecessary alert noise while ensuring critical threats receive immediate attention.

Related Guides:

Enable Vulnerability Detection

Enable Vulnerability Detection so Wazuh can correlate installed software with known Common Vulnerabilities and Exposures (CVEs).

Once enabled, verify that:

Software inventories are collected
Vulnerability feeds are updating
Scan results appear in the Dashboard
Reports populate correctly

Regular vulnerability scanning helps prioritize remediation efforts based on actual exposure.

Configure File Integrity Monitoring

File Integrity Monitoring (FIM) should be configured to monitor sensitive operating system and application files.

Typical monitoring targets include:

System configuration files
Security policies
Registry entries
Web application directories
Critical binaries

Administrators should carefully tune monitoring paths to balance visibility with resource consumption.

Related Guides:

Enable Log Collection

Log collection is one of the most valuable capabilities of the Wazuh platform.

Review which logs should be collected from each endpoint type.

Examples include:

Operating system logs
Authentication logs
Web server logs
Firewall logs
Application logs
Cloud audit logs
Database logs

Collecting only relevant logs helps reduce storage consumption while improving investigation quality.

Related Guide:

Configure Active Response

Active Response allows Wazuh to automatically react when predefined threats are detected.

Common automated responses include:

Blocking malicious IP addresses
Disabling compromised accounts
Killing malicious processes
Executing custom scripts
Isolating affected systems

Automation should be introduced gradually and thoroughly tested before enabling it in production to avoid unintended disruptions.

Verify Dashboard Functionality

Finally, confirm that the Dashboard provides complete visibility into your environment.

Verify that:

Dashboards load correctly
Alerts appear in near real time
Searches return expected results
Visualizations display data accurately
User authentication functions properly
API integrations operate as expected

A fully functioning Dashboard confirms that communication between the Manager, Indexer, and Dashboard has been successfully established.

OpenSearch Performance Tuning Guide – https://opensearch.org/docs/latest/

Expert Insight: Experienced SOC teams often perform a controlled validation exercise immediately after deployment by generating known security events, such as failed logins or test detection rules to verify that alerts flow correctly from the endpoint to the Manager, are indexed successfully, and appear in the Dashboard before onboarding production systems.

Validating Your Deployment

Completing the installation does not necessarily mean your Wazuh deployment is ready for production.

Before onboarding additional endpoints or relying on the platform for threat detection, verify that every core component is operating correctly and communicating as expected.

A structured validation process helps identify configuration issues early, preventing gaps in monitoring and reducing future troubleshooting.

Check Manager Status

The Wazuh Manager is responsible for processing security events, evaluating detection rules, and coordinating communication with agents.

Confirm that:

The Manager service is running
Required ports are listening
No startup errors appear in the logs
APIs respond successfully
Agents can register successfully

Review the Manager log files for warnings or repeated errors that may indicate configuration problems.

Verify Indexer Health

The Wazuh Indexer should report a healthy cluster before production traffic begins.

Verify:

Cluster health status
All expected nodes are online
Index creation succeeds
Shards are allocated properly
Replicas are functioning correctly
No disk watermark warnings exist

If you’re using multiple Indexer nodes, ensure cluster synchronization completes successfully before enrolling large numbers of endpoints.

Confirm Dashboard Access

The Dashboard should load without errors and successfully communicate with the Indexer.

Confirm that you can:

Sign in successfully
View dashboards
Search alerts
Access management features
View connected agents
Generate visualizations

If the Dashboard reports connection errors, review Indexer connectivity, authentication settings, and TLS certificate configuration.

Related Guide:

Test Agent Communication

After enrolling a test endpoint, verify that communication between the agent and Manager functions correctly.

Confirm that:

The agent appears online
Heartbeats are received
Events are transmitted
Configuration updates are applied
No authentication errors occur

Testing communication before deploying hundreds or thousands of agents prevents widespread enrollment issues.

Generate Test Alerts

One of the best ways to validate a deployment is by generating known security events.

Examples include:

Failed login attempts
Test File Integrity Monitoring events
Custom rule matches
Test malware detections
Active Response triggers

Confirm that generated events:

Reach the Manager
Match detection rules
Are indexed successfully
Appear in the Dashboard

This end-to-end validation ensures the entire detection pipeline is functioning correctly.

Related Guide:

How to Test Wazuh Rules

Verify Log Ingestion

Finally, confirm that expected logs are arriving from all monitored systems.

Review:

Operating system logs
Application logs
Firewall logs
Authentication logs
Cloud audit logs
Security events

Unexpected gaps in log collection often indicate configuration issues rather than infrastructure failures.

Monitoring ingestion rates during the first several days after deployment helps establish performance baselines and detect anomalies early.

Installation Best Practices

Whether deploying Wazuh in a small lab or a global enterprise, following established best practices helps improve security, reliability, and long-term maintainability.

Start with a Test Environment

Avoid deploying directly into production whenever possible.

A staging environment allows administrators to:

Validate installation procedures
Test upgrades
Evaluate integrations
Tune detection rules
Measure resource utilization

Testing changes before production reduces operational risk and minimizes unexpected outages.

Use TLS Everywhere

Every communication channel within the Wazuh platform should be encrypted.

This includes communication between:

Agents and Managers
Managers and Indexers
Dashboards and Indexers
Administrative APIs
Cluster nodes

Strong TLS configurations protect sensitive security telemetry from interception and unauthorized access.

Related Guide:

How to Fix Wazuh Certificate Errors

Keep Components Version-Aligned

The Manager, Indexer, Dashboard, and Agents should remain on compatible software versions.

Running mixed versions for extended periods can introduce:

API incompatibilities
Authentication failures
Missing features
Upgrade complications
Unexpected bugs

Whenever possible:

Review release notes before upgrading.
Upgrade components according to the recommended sequence.
Validate compatibility in a test environment.

Monitor Cluster Health

Monitoring should extend beyond endpoint activity.

Administrators should continuously monitor:

Manager health
Indexer cluster status
Storage utilization
Memory usage
CPU consumption
Service availability
Queue sizes

Early detection of infrastructure issues prevents degraded detection performance.

Plan for Future Growth

Many organizations underestimate how quickly security data grows.

When designing your deployment, account for:

Endpoint growth
Longer retention periods
Increased alert volumes
Additional integrations
Regulatory requirements

Building with scalability in mind reduces future infrastructure redesign.

Automate Agent Deployment

Manual installation may be practical for a handful of systems, but automation becomes essential as environments grow.

Common deployment tools include:

Ansible
Puppet
Chef
Microsoft Intune
Microsoft Configuration Manager (SCCM)
Group Policy
Cloud-init
Terraform

Automation improves consistency while reducing deployment time and configuration drift.

Document Your Configuration

Comprehensive documentation simplifies ongoing administration and disaster recovery.

Maintain records for:

Server inventory
Network topology
Certificate locations
Installed versions
Configuration changes
Backup procedures
Upgrade history

Well-maintained documentation also accelerates troubleshooting and onboarding of new administrators.

CIS Controls v8 – https://www.cisecurity.org/controls

Expert Insight: The Center for Internet Security (CIS) emphasizes secure configuration management, asset inventory, and continuous monitoring as foundational cybersecurity practices. Applying these principles during a Wazuh deployment results in a more resilient and maintainable security monitoring platform.

Common Installation Mistakes to Avoid

Even experienced administrators occasionally encounter deployment issues caused by avoidable configuration mistakes.

Understanding these common pitfalls can save hours of troubleshooting and improve long-term platform stability.

Installing Unsupported Versions

Running unsupported operating systems or incompatible software versions often leads to unexpected behavior.

Before installation:

Verify operating system compatibility.
Review supported package versions.
Confirm hardware requirements.
Check upgrade paths.

Always consult the official compatibility documentation before deploying or upgrading production systems.

Ignoring Hardware Requirements

Insufficient hardware is one of the most common causes of poor Wazuh performance.

Common symptoms include:

Slow Dashboard searches
Delayed alert processing
High CPU utilization
Memory exhaustion
Indexing failures

Provision hardware based on expected long-term workloads rather than minimum installation requirements.

Misconfigured Firewalls

Firewall restrictions frequently interrupt communication between components.

Common problems include blocked:

Agent registration ports
Manager communication ports
Dashboard access
Indexer APIs
Cluster synchronization traffic

Verify firewall policies before assuming an application-level problem exists.

Incorrect Certificates

TLS certificate problems commonly prevent communication between:

Dashboard and Indexer
Manager and Indexer
Agents and Manager

Typical certificate issues include:

Expired certificates
Incorrect hostnames
Missing certificate chains
Permission problems
Invalid trust relationships

Implement a documented certificate lifecycle to simplify renewals and reduce outages.

Version Mismatches

Mixing incompatible versions of the Manager, Dashboard, Indexer, and Agents can produce difficult-to-diagnose issues.

Possible symptoms include:

Authentication failures
API errors
Missing Dashboard functionality
Agent registration problems
Plugin incompatibilities

Plan upgrades carefully and avoid skipping major versions unless explicitly supported.

Poor Storage Planning

Storage shortages often appear months after deployment rather than during installation.

Common planning mistakes include:

Underestimating daily log volume
Ignoring replica storage
Insufficient retention planning
Lack of snapshot storage
Using slow storage devices

Regularly review storage consumption and adjust retention policies as infrastructure evolves.

Skipping Post-Installation Validation

Some administrators begin onboarding production systems immediately after installation without validating the deployment.

This increases the risk of:

Missing alerts
Broken agent communication
Indexing failures
Dashboard issues
Incomplete log collection

Always perform comprehensive validation before considering the deployment production-ready.

Expert Insight: Many experienced Wazuh administrators treat deployment as an iterative process rather than a one-time task. They validate each layer. Manager, Indexer, Dashboard, networking, certificates, and agents before progressing to the next stage. This incremental approach significantly reduces troubleshooting complexity and leads to more reliable production deployments.

Common Installation Mistakes to Avoid

Even well-planned Wazuh deployments can fail or behave unpredictably due to a small number of recurring configuration mistakes.

These issues are especially common in first-time installations and often manifest as connectivity problems, missing alerts, degraded performance, or broken dashboards.

Understanding these pitfalls helps ensure a stable and production-ready deployment from the start.

Installing Unsupported Versions

One of the most frequent deployment issues comes from using unsupported operating systems or mismatched Wazuh component versions.

Problems typically arise when:

The operating system is not on the supported list
Manager, Indexer, and Dashboard versions are out of sync
Agents are newer or older than the Manager
Dependencies are not aligned with release requirements

These mismatches can lead to API failures, missing features, or complete service incompatibility.

Always verify compatibility before installation and ensure all components belong to the same supported release family.

Wazuh Compatibility and Installation Requirements – https://documentation.wazuh.com/current/installation-guide/

Ignoring Hardware Requirements

Under-provisioning infrastructure is a common cause of long-term performance degradation.

Symptoms of insufficient hardware include:

High CPU utilization on Indexer nodes
Memory exhaustion warnings
Slow search queries in the Dashboard
Delayed alert generation
Dropped or queued events

Wazuh performance is heavily dependent on indexing capacity, so storage speed, memory allocation, and CPU availability must be sized based on expected ingestion rates, not just minimum installation guidelines.

Misconfigured Firewalls

Firewall misconfigurations frequently prevent communication between Wazuh components.

Common issues include blocked:

Agent-to-Manager communication ports
Manager-to-Indexer traffic
Dashboard access ports
Cluster synchronization channels
API endpoints

These issues often present as “service running but no data flowing,” making them difficult to diagnose without systematic network validation.

Ensure that firewall rules explicitly allow required internal communication paths and restrict external exposure of administrative services.

Incorrect Certificates

TLS certificate issues are one of the leading causes of deployment instability.

Typical mistakes include:

Using expired certificates
Hostname mismatches between nodes
Missing intermediate certificate chains
Incorrect file permissions
Self-signed certificates in production without proper trust configuration

Because Wazuh relies heavily on encrypted communication, even minor certificate errors can break communication between core components.

Version Mismatches

Running mismatched versions of Wazuh components creates subtle and hard-to-diagnose failures.

Examples include:

Dashboard unable to interpret Indexer responses
Manager sending incompatible event formats
Agents failing to register after upgrades
API endpoints returning unexpected errors

To avoid these issues:

Upgrade components together in a coordinated sequence
Avoid partial upgrades across nodes in the same cluster
Validate version compatibility before rollout

Poor Storage Planning

Storage miscalculations are often discovered after deployment, when log volume begins to accumulate.

Common mistakes include:

Underestimating daily ingestion rates
Ignoring replica overhead in clusters
Not planning for retention policies
Using slow or non-SSD storage
Failing to allocate space for snapshots and backups

Because Wazuh generates continuous telemetry, storage growth is predictable, but often underestimated.

Skipping Post-Installation Validation

Deploying Wazuh without validation is a major operational risk.

Without validation, organizations may miss:

Silent agent connectivity failures
Broken indexing pipelines
Missing alerts or rules
Dashboard misconfigurations
Partial log ingestion

A structured validation phase ensures the platform is fully operational before onboarding production workloads.

Wazuh Deployment Checklist

A structured checklist helps ensure consistency across deployments and reduces the risk of configuration drift or missed setup steps.

This section can be used as a final validation framework before moving into production.

Before Installation

Before installing any Wazuh component, confirm the environment is properly prepared.

Key checks include:

Verify supported operating system versions
Confirm hardware meets CPU, memory, and storage requirements
Plan network topology and DNS configuration
Define deployment architecture (single-node or cluster)
Confirm required ports are open
Establish time synchronization (NTP)
Prepare TLS certificate strategy
Define user roles and access policies
Document hostname conventions
Plan backup and recovery strategy

At this stage, the goal is to eliminate environmental uncertainty before installation begins.

During Installation

During installation, focus on consistency and verification at each step.

Key checks include:

Install components in the correct order (Manager → Indexer → Dashboard)
Validate service startup after each component installation
Confirm successful certificate generation and installation
Verify inter-component connectivity
Ensure firewall rules are applied correctly
Monitor installation logs for warnings or errors
Validate that cluster or single-node configuration matches design
Confirm initial Dashboard access after setup

Installation issues are easiest to resolve when caught immediately rather than after full deployment.

After Installation

After installation is complete, validate the full system behavior.

Key checks include:

Confirm Dashboard loads without errors
Verify Indexer cluster health status
Check Manager service stability
Ensure agents can register successfully
Validate log ingestion from test endpoints
Confirm alert generation and rule processing
Verify API authentication and access
Test File Integrity Monitoring (FIM)
Validate vulnerability detection feeds
Confirm Active Response functionality (if enabled)

At this stage, the system should behave predictably under controlled test conditions.

Before Moving to Production

Before transitioning Wazuh into production use, perform a final readiness review.

Key checks include:

Confirm successful end-to-end event flow (Agent → Manager → Indexer → Dashboard)
Validate performance under expected load conditions
Ensure alerting and notification systems are functional
Confirm backup and restore procedures
Verify retention policies and storage thresholds
Test failure scenarios (service restart, node failure, etc.)
Validate security configurations (TLS, authentication, RBAC)
Ensure monitoring and health dashboards are operational
Document final architecture and configuration state

Only after these conditions are met should the system be considered production-ready.

NIST Cybersecurity Framework Overview – https://www.nist.gov/cyberframework

Expert Insight: Mature SOC environments typically treat deployment validation as a formal “go-live gate,” requiring sign-off from security engineering, infrastructure, and operations teams before production onboarding begins. This prevents premature exposure to incomplete or misconfigured monitoring pipelines.

Frequently Asked Questions (FAQ)

This section addresses common questions that arise during Wazuh installation and early deployment.

These answers reflect typical real-world scenarios encountered during small, medium, and enterprise-scale implementations.

Question: How long does a Wazuh installation take?

Installation time depends on deployment type and infrastructure readiness.

Single-node deployment: ~30 minutes to 1 hour
Multi-node production setup: several hours to a day
Clustered or cloud deployments: 1–3 days including validation and tuning

Most delays come not from installation itself, but from prerequisites such as networking, certificates, and storage configuration.

Question: What are the minimum system requirements for Wazuh?

Minimum requirements vary by workload, but general baselines include:

CPU: 2–4 vCPUs (lab environments)
Memory: 8 GB RAM minimum
Storage: SSD strongly recommended
OS: Supported Linux distributions or compatible cloud VM images

Production environments typically require significantly more resources, especially for the Indexer.

Wazuh Installation Requirements – https://documentation.wazuh.com/current/installation-guide/index.html

Question: Should I deploy Wazuh using Docker or native packages?

Both approaches are valid, but the choice depends on operational goals:

Docker is best for:
- Testing and development
- CI/CD pipelines
- Rapid environment provisioning
Native packages are best for:
- Production deployments
- High-performance environments
- Long-term stability and storage control

Many organizations use Docker for experimentation and native deployments for production.

Question: Can I install Wazuh on a single server?

Yes. Wazuh supports single-node deployments where all components run on one machine.

This is suitable for:

Labs and testing
Small environments
Proof-of-concept deployments

However, single-node setups are not recommended for large-scale production due to limited scalability and lack of fault tolerance.

Question: How many agents can one Wazuh manager support?

Agent capacity depends on hardware and event volume.

General guidelines:

Small server: hundreds of agents
Medium server: thousands of agents
Optimized production systems: 10,000+ agents

Performance depends heavily on log volume, rule complexity, and indexing throughput.

Question: When should I build an indexer cluster?

You should consider an Indexer cluster when:

Log volume exceeds single-node capacity
Search performance begins degrading
High availability is required
Data retention requirements increase
Multiple analysts query data simultaneously

Clusters become essential in enterprise-scale environments with sustained ingestion workloads.

Question: How do I add Windows and Linux endpoints after installation?

After installation, endpoints are added by installing and registering the Wazuh Agent.

Typical steps include:

Installing the agent package
Registering the agent with the Manager
Assigning the correct group or policy
Verifying communication in the Dashboard

Related Guides

Question: Can I upgrade Wazuh without reinstalling everything?

Yes. Wazuh supports in-place upgrades for most components.

Best practices include:

Upgrading Manager, Indexer, and Dashboard in a controlled sequence
Testing upgrades in a staging environment first
Backing up configurations and indexes
Ensuring version compatibility across components

Question: How do I verify that my installation is working correctly?

A healthy installation should meet the following criteria:

All services are running without errors
Dashboard loads successfully
Indexer cluster health is green
Agents are reporting data
Alerts are generated and visible
Logs are being indexed correctly

A full end-to-end test (agent → manager → indexer → dashboard) is the most reliable validation method.

Question: What is the most common cause of Wazuh installation failures?

The most common causes include:

Misconfigured firewall rules
Incorrect or mismatched certificates
Insufficient system resources
Version incompatibilities between components
Missing prerequisites such as NTP or DNS configuration

In most cases, installation issues are not caused by Wazuh itself but by environment configuration problems.

Conclusion

Deploying Wazuh successfully requires more than simply running an installation script.

It is a structured process that begins with careful planning, continues through architecture selection, and ends with rigorous validation of every component in the stack.

This guide walked through the complete lifecycle of a Wazuh deployment, including:

Planning deployment architectures (single-node, multi-node, Docker, and cloud)
Understanding core components such as the Manager, Indexer, Dashboard, and Agents
Installing and configuring the platform
Deploying and managing endpoint agents
Scaling Wazuh with Indexer clusters
Running Docker-based deployments
Performing post-installation configuration and validation
Avoiding common installation mistakes
Applying a structured deployment checklist

A key takeaway is that successful Wazuh deployments are not defined by installation speed, but by correctness and validation.

Every component must be verified individually and as part of the full event pipeline before the system is considered production-ready.

For deeper implementation details, you should continue with the specialized guides referenced throughout this article.

These cover practical, step-by-step instructions for installing agents, building clusters, upgrading components, and troubleshooting real-world issues.

Next steps may include:

Hardening your Wazuh deployment for production security
Fine-tuning detection rules to reduce noise and improve signal quality
Expanding endpoint coverage across your infrastructure
Integrating external threat intelligence sources
Automating deployment and configuration management
Implementing long-term log retention and compliance policies

A properly deployed Wazuh platform becomes significantly more powerful once it is tuned, integrated, and scaled according to organizational needs.