Wazuh SIEM: Installation Guide

Wazuh is an open-source SIEM and XDR. It monitors endpoints, detects threats, fires alerts, and maps everything to MITRE ATT&CK. This guide gets you from zero to a working deployment. No theory dumps. No enterprise fluff. Just the commands that work.

Step 1: Server Preparation

Run this on a fresh Ubuntu 22.04 machine. 8 GB RAM minimum, 4 vCPU. Don't co-locate this with anything else — the indexer's JVM will fight for memory.

sudo apt update && sudo apt upgrade -y
sudo hostnamectl set-hostname wazuh-server

# Wazuh components need these
sudo apt install -y curl wget gnupg apt-transport-https lsb-release

# Set timezone
sudo timedatectl set-timezone Asia/Jakarta

# Disable swap (indexer JVM requirement)
sudo swapoff -a
sudo sed -i '/ swap / s/^/#/' /etc/fstab

Step 2: Download the Installer

Wazuh ships an all-in-one installation assistant. It generates certificates, configures the indexer cluster, installs the manager, and deploys the dashboard. All from one script and one config file.

sudo su
cd ~

# Download the latest installer and config template
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.7/config.yml

Step 3: Edit config.yml

The config file tells the installer which components go where. For a single-server deployment, use the same IP for all three. The installer reads this, generates certificates with correct SANs, and provisions each component.

nodes:
  indexer:
    - name: node-1
      ip: 192.168.1.10

  server:
    - name: wazuh-1
      ip: 192.168.1.10

  dashboard:
    - name: dashboard
      ip: 192.168.1.10

Replace 192.168.1.10 with your server's IP. For multi-node deployments, add more entries under each section.

Step 4: Generate Certificates & Passwords

This step creates all the PKI material the cluster needs. The output is a single tar file containing certificates, keys, and randomly generated passwords. Run this once, then copy the tar to other nodes if you're doing multi-server.

bash wazuh-install.sh --generate-config-files

# View the admin password
tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1

# Save this password. You'll need it for the dashboard login.

Step 5: Install the Indexer

The indexer is Wazuh's packaged OpenSearch. It stores alerts, events, and agent state. This step installs it on the node named node-1 in your config.yml.

bash wazuh-install.sh --wazuh-indexer node-1

Step 6: Initialize the Cluster

This starts the indexer cluster. Run it once, even on multi-node setups. The cluster handles node discovery internally after initialization.

bash wazuh-install.sh --start-cluster

# Verify the indexer is running
curl -k -u admin:YOUR_PASSWORD https://localhost:9200

# Expected: JSON response with cluster_name, version, tagline

Step 7: Install the Wazuh Server

The server is the brain — analysis engine, agent enrollment, rule processing. It receives data from agents on port 1514, runs decoders and rules, and ships alerts to the indexer.

bash wazuh-install.sh --wazuh-server wazuh-1

Step 8: Install the Dashboard

The web interface. Agent management, rule editing, threat hunting, MITRE ATT&CK mapping — all from a browser. Default port 443.

bash wazuh-install.sh --wazuh-dashboard dashboard

# After install, access https://YOUR_IP
# Login: admin / password from step 4

Step 9: Deploy an Agent (Linux)

The agent is what watches your endpoints. It collects logs, checks file integrity, scans for vulnerabilities, and sends everything to the manager. Install it on every machine you want to monitor.

# On the target machine (not the Wazuh server)
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
chmod 644 /usr/share/keyrings/wazuh.gpg

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

sudo apt update

# Replace 192.168.1.10 with your Wazuh manager IP
WAZUH_MANAGER="192.168.1.10" sudo apt install -y wazuh-agent

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Step 10: Deploy an Agent (Windows)

# Download the MSI (check https://packages.wazuh.com/4.x/windows/ for latest)
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi -OutFile wazuh-agent.msi

# Replace 192.168.1.10 with your manager IP
Start-Process msiexec -ArgumentList "/i wazuh-agent.msi /qn WAZUH_MANAGER=192.168.1.10 WAZUH_REGISTRATION_SERVER=192.168.1.10" -Wait

Start-Service WazuhSvc

Step 11: Verify Everything

Log into the dashboard. Go to Agents. Your newly installed agent should appear within 30 seconds. If it doesn't:

# 1. Agent can reach the manager?
nc -zv 192.168.1.10 1514

# 2. Manager has the agent registered?
sudo cat /var/ossec/etc/client.keys | wc -l

# 3. Manager logs showing errors?
sudo tail -50 /var/ossec/logs/ossec.log

# 4. Firewall allowing agent traffic?
sudo ufw status | grep 1514

# 5. Agent service actually running?
sudo systemctl status wazuh-agent

What You Have Now

A functioning SIEM. 3,000+ built-in detection rules. File integrity monitoring. Vulnerability scanning. MITRE ATT&CK mapping. All from one server, one script, no licensing costs.

Next steps: tune the rules, set up Slack or Telegram alerts, deploy agents to production endpoints, and integrate with Shuffle SOAR for automated response. But that's for another guide.

References