The Wazuh Indexer is an OpenSearch single-node instance that stores alerts, inventory data, vulnerability reports, and FIM events. Its configuration is split across two files:Documentation Index
Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt
Use this file to discover all available pages before exploring further.
config/wazuh_indexer/wazuh.indexer.yml (main OpenSearch configuration) and config/wazuh_indexer/internal_users.yml (the built-in user database). Both files are bind-mounted into the wazuh.indexer container at startup — changes require a container restart to take effect.
wazuh.indexer.yml Reference
Thewazuh.indexer.yml file is the primary OpenSearch configuration. It controls networking, storage paths, cluster identity, TLS certificates, and the security plugin.
Core Settings
| Key | Value | Description |
|---|---|---|
network.host | 0.0.0.0 | Listen on all network interfaces inside the container |
node.name | wazuh.indexer | Unique node identifier, also used as the TLS certificate CN |
cluster.name | wazuh-cluster | OpenSearch cluster name |
path.data | /var/lib/wazuh-indexer | Directory where index data shards are stored |
path.logs | /var/log/wazuh-indexer | Directory for OpenSearch log output |
discovery.type | single-node | Bootstrap as a single-node cluster, skipping leader election |
http.port | 9200-9299 | Port range for the REST API (primary: 9200) |
transport.tcp.port | 9300-9399 | Port range for inter-node transport (unused in single-node mode) |
compatibility.override_main_response_version | true | Return a compatible version string to tools that check the OpenSearch version |
cluster.routing.allocation.disk.threshold_enabled | false | Disable disk-based shard allocation thresholds — prevents indexing stalls when disk is moderately full |
TLS / SSL Settings
TLS is enforced on both the HTTP REST layer and the internal transport layer. All certificates are generated bywazuh-dev.sh and mounted into the container.
| Key | Value | Description |
|---|---|---|
plugins.security.ssl.http.enabled | true | Require HTTPS for all REST API connections |
plugins.security.ssl.http.pemcert_filepath | /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem | Node certificate for HTTPS |
plugins.security.ssl.http.pemkey_filepath | /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key | Private key for the HTTPS certificate |
plugins.security.ssl.http.pemtrustedcas_filepath | /usr/share/wazuh-indexer/config/certs/root-ca.pem | Root CA that signed all cluster certificates |
plugins.security.ssl.transport.pemcert_filepath | /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem | Node certificate for transport layer |
plugins.security.ssl.transport.pemkey_filepath | /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key | Private key for the transport certificate |
plugins.security.ssl.transport.pemtrustedcas_filepath | /usr/share/wazuh-indexer/config/certs/root-ca.pem | Root CA for transport layer trust |
plugins.security.ssl.transport.enforce_hostname_verification | false | Do not verify certificate CN against hostname on transport connections |
plugins.security.ssl.transport.resolve_hostname | false | Do not attempt DNS resolution during transport TLS handshake |
Security Plugin — Identity and Authorization
| Key | Value | Description |
|---|---|---|
plugins.security.authcz.admin_dn | CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US | Distinguished Name of the admin client certificate — this DN bypasses all access controls and is used for cluster configuration operations |
plugins.security.nodes_dn | CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US | DN that identifies trusted cluster nodes for inter-node communication |
plugins.security.check_snapshot_restore_write_privileges | true | Require write privileges when restoring a snapshot |
plugins.security.enable_snapshot_restore_privilege | true | Enable the snapshot/restore privilege in the security model |
plugins.security.allow_default_init_securityindex | true | Initialize the security index with defaults if it does not exist on startup |
plugins.security.restapi.roles_enabled | ["all_access", "security_rest_api_access"] | Roles permitted to use the REST Management API for security configuration |
System Indices
System indices hold internal OpenSearch plugin state. Access to these indices is restricted to prevent accidental modification.| Index Pattern | Plugin |
|---|---|
.opendistro-alerting-config | Alerting configuration |
.opendistro-alerting-alert* | Alerting active alerts |
.opendistro-anomaly-results* | Anomaly detection results |
.opendistro-anomaly-detector* | Anomaly detector configs |
.opendistro-anomaly-checkpoints | Anomaly detection checkpoints |
.opendistro-anomaly-detection-state | Anomaly detection state |
.opendistro-reports-* | Reports plugin data |
.opendistro-notifications-* | Notifications plugin data |
.opendistro-notebooks | Notebooks plugin data |
.opensearch-observability | Observability plugin data |
.opendistro-asynchronous-search-response* | Async search responses |
.replication-metadata-store | Cross-cluster replication metadata |
Full wazuh.indexer.yml
internal_users.yml — User Management
Theinternal_users.yml file is the OpenSearch Security plugin’s built-in user database. Each entry stores a bcrypt password hash and a list of backend roles. The security plugin maps backend roles to permissions through role mappings defined separately in roles_mapping.yml.
The file follows this structure:
Default Users
| Username | Reserved | Backend Role(s) | Description |
|---|---|---|---|
admin | true | admin | Full administrative access. Reserved — cannot be deleted via the API |
kibanaserver | true | — | Service account used by the Wazuh Dashboard to communicate with the Indexer. Reserved |
kibanaro | false | kibanauser, readall | Read-only Dashboard user with index read permissions |
logstash | false | logstash | Ingest account for Logstash pipelines |
readall | false | readall | Read-only access to all indices |
snapshotrestore | false | snapshotrestore | Permission to create and restore index snapshots |
tfgadmin | false | admin | Custom administrator account added for this Simovilab deployment |
reserved: true means the user cannot be modified or deleted through the REST API — only by editing internal_users.yml directly and re-running the securityadmin tool.
Adding a Custom User
Thewazuh-dev.sh helper script automates user creation so you do not need to run securityadmin manually. Set the following variables in your .env file before running the script:
Hash the password
Runs the OpenSearch Security hash tool inside a temporary container to produce a bcrypt hash:
Upsert the user
Writes the username and bcrypt hash into
config/wazuh_indexer/internal_users.yml, creating a new entry or updating the hash if the user already exists.Java Heap Settings
The Indexer’s JVM heap is configured via theOPENSEARCH_JAVA_OPTS environment variable in docker-compose.yml:
docker-compose.yml and restart the Indexer: