Wazuh Installation & Configuration

Deployment and troubleshooting of the Wazuh SIEM stack (Indexer, Manager, Filebeat, and Dashboard).

Install Wazuh Packages

After fixing the GPG key, repository was added and core components installed.

curl -s https://packages.wazuh.com/4.9/wazuh-install.sh -o wazuh-install.sh
    bash wazuh-install.sh --install

Installed services:

• wazuh-manager
• wazuh-indexer (OpenSearch backend)
• wazuh-dashboard
• filebeat for alerts ingestion

Indexer Health Checks

Verified cluster status and indices.

curl -k -u admin:admin \
      --cacert /etc/wazuh-dashboard/certs/root-ca.pem \
      https://127.0.0.1:9200/_cluster/health?pretty

Initial output showed yellow due to unassigned replicas. Forced replicas to 0 to stabilize single-node cluster:

curl -k -u admin:admin \
      --cacert /etc/wazuh-dashboard/certs/root-ca.pem \
      -X PUT "https://127.0.0.1:9200/.opensearch_dashboards/_settings" \
      -H 'Content-Type: application/json' -d '{
        "index": { "number_of_replicas": 0 }
      }'

OpenSearch Security Configuration

Corrupted roles.yml and roles_mapping.yml prevented the dashboard from authenticating. Reset by restoring default templates and reloading via securityadmin.sh:

rm -rf /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/*
    cp -r /etc/wazuh-indexer/opensearch-security/* \
       /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/

    /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh \
      -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ \
      -cacert /etc/wazuh-indexer/certs/root-ca.pem \
      -cert   /etc/wazuh-indexer/certs/admin.pem \
      -key    /etc/wazuh-indexer/certs/admin-key.pem \
      -nhnv

Cluster returned Clusterstate: GREEN, config populated successfully.

Dashboard Configuration

Configured Dashboard → Indexer connection with internal kibana_user credentials:

grep -E 'opensearch.username|opensearch.password' \
      /etc/wazuh-dashboard/opensearch_dashboards.yml

    opensearch.username: "kibana_user"
    opensearch.password: "password123"

Restarted service:

systemctl restart wazuh-dashboard
    journalctl -u wazuh-dashboard -n 50 --no-pager

Filebeat Configuration & Templates

Filebeat ingests /var/ossec/logs/alerts/alerts.json into Wazuh indices.

systemctl restart filebeat
    journalctl -u filebeat -n 50 --no-pager

Manually loaded Wazuh index template to fix missing wazuh-alerts-* mapping:

curl -k -u admin:admin \
      --cacert /etc/wazuh-dashboard/certs/root-ca.pem \
      -X PUT "https://127.0.0.1:9200/_template/wazuh" \
      -H 'Content-Type: application/json' \
      -d @/etc/filebeat/wazuh-template.json

Verification:

curl -k -u admin:admin \
      --cacert /etc/wazuh-dashboard/certs/root-ca.pem \
      https://127.0.0.1:9200/_cat/indices?v | grep wazuh

Wazuh API Authentication

Validated API login for user wazuh:

curl -k -u wazuh:wazuh \
      https://127.0.0.1:55000/security/user/authenticate

Response returned JWT token, confirming functional API.

Final Status

• Indexer: green state
• Dashboard: reachable via https://192.168.2.155/
• API: token-based auth working
• Filebeat: forwarding alerts to wazuh-alerts-*

Next Up

• Agent deployment: Linux
• Log routing, dashboards, and detections (coming soon)