Skip to main content
The Wazuh stack was deployed using the official installation assistant on a dedicated Ubuntu VM. The three core components — indexer, server, and dashboard — were installed in sequence on the same machine at 192.168.10.2.
1

Install the Wazuh indexer

Download the installation script and default configuration template, adjust the component IP addresses, generate the configuration files, install the indexer, then start the cluster.
curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.14/config.yml
Edit config.yml so that the indexer, server, and dashboard entries all reference the correct IP address of the Wazuh VM before generating config files.
nano config.yml
sudo bash wazuh-install.sh --generate-config-files
sudo bash wazuh-install.sh --wazuh-indexer node-1
sudo bash wazuh-install.sh --start-cluster
ValidationAfter installation, confirm the indexer is reachable and the cluster initialised successfully.
sudo tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1
curl -k -u admin https://192.168.10.2:9200
curl -k -u admin https://192.168.10.2:9200/_cat/nodes?v
Result: The indexer responded on port 9200, the node appeared as node-1, and the cluster initialised successfully.
2

Install the Wazuh server

With the indexer running, install the Wazuh server component.
sudo bash wazuh-install.sh --wazuh-server wazuh-1
Result: The installation completed successfully. This step automatically installed and configured the following:
  • Wazuh manager
  • Vulnerability detection configuration
  • Filebeat installation and service startup
3

Install the Wazuh dashboard

Install the final core component — the web dashboard.
sudo bash wazuh-install.sh --wazuh-dashboard dashboard
Result: The dashboard installation completed successfully. The web interface is available at:
https://192.168.10.2:443

Security considerations

After deployment, the credentials for the default accounts wazuh and wazuh-wui were changed by following the Securing the Wazuh server API guide.
This lab environment is isolated within a dedicated VLAN with firewall-restricted access. Several hardening steps that would be required in production were therefore not applied here.
In a production environment, additional hardening steps would include:
  • Restricting indexer API access to the Wazuh server only
  • Enforcing a minimum TLS version of 1.2
  • Replacing the default self-signed certificate with a trusted certificate
  • Enabling audit logging on the indexer
  • Hardening the underlying OS against CIS benchmarks
  • Applying RBAC with least-privilege access to the Wazuh API

Network and firewall configuration

Before onboarding agents, the required ports for communication between Wazuh components and agents were reviewed. For this setup:
  • All Wazuh core components run on the same VM
  • No separate firewall rules were required between the internal Wazuh components
  • Only agent-to-server communication needed to be allowed
  • Dashboard access was restricted to the admin workstation

Network overview

VLANNameRole
VLAN 2HomePermitted to send agent traffic to the Wazuh server
VLAN 10Lab-SecurityContains the Wazuh VM and lab systems (home-lab-dc-01, home-lab-ubuntu-01, home-lab-client-01)
Network object showing required ports for Wazuh agent communication Firewall rules for Wazuh agent traffic

Agent deployment

Windows

The first agent was deployed on the admin workstation home-home-paw-01. The official Wazuh documentation for Windows agent deployment was followed. After completing the installation and configuration steps, the agent connected to the Wazuh manager and appeared in the dashboard. First Windows agent visible in the Wazuh dashboard

Linux

The Linux agent deployment process followed the same steps as the Windows deployment. The main difference was selecting the correct package for the target distribution and CPU architecture. The Linux agent also appeared successfully in the dashboard after installation.

Additional agents

After the first successful deployments, the same onboarding steps were repeated for the following systems:
  • home-lab-dc-01
  • home-lab-client-01
  • home-lab-ubuntu-01

Current agent overview

Overview of all active agents in the Wazuh dashboard

Observations

Manual agent deployment is straightforward for a small number of systems. For larger environments, more scalable deployment methods are more practical:

Build docs developers (and LLMs) love

Get started for freeTalk to us