Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt

Use this file to discover all available pages before exploring further.

The Wazuh Indexer is an OpenSearch single-node instance that stores alerts, inventory data, vulnerability reports, and FIM events. Its configuration is split across two files: config/wazuh_indexer/wazuh.indexer.yml (main OpenSearch configuration) and config/wazuh_indexer/internal_users.yml (the built-in user database). Both files are bind-mounted into the wazuh.indexer container at startup — changes require a container restart to take effect.
The default admin user password is set to _S1M0V1L48_T7G_2025_.*- as shown in .env.example. This password controls full administrative access to the Indexer REST API and the security plugin. Change it before any production deployment by updating INDEXER_PASSWORD in your .env file and re-running wazuh-dev.sh.

wazuh.indexer.yml Reference

The wazuh.indexer.yml file is the primary OpenSearch configuration. It controls networking, storage paths, cluster identity, TLS certificates, and the security plugin.

Core Settings

KeyValueDescription
network.host0.0.0.0Listen on all network interfaces inside the container
node.namewazuh.indexerUnique node identifier, also used as the TLS certificate CN
cluster.namewazuh-clusterOpenSearch cluster name
path.data/var/lib/wazuh-indexerDirectory where index data shards are stored
path.logs/var/log/wazuh-indexerDirectory for OpenSearch log output
discovery.typesingle-nodeBootstrap as a single-node cluster, skipping leader election
http.port9200-9299Port range for the REST API (primary: 9200)
transport.tcp.port9300-9399Port range for inter-node transport (unused in single-node mode)
compatibility.override_main_response_versiontrueReturn a compatible version string to tools that check the OpenSearch version
cluster.routing.allocation.disk.threshold_enabledfalseDisable disk-based shard allocation thresholds — prevents indexing stalls when disk is moderately full

TLS / SSL Settings

TLS is enforced on both the HTTP REST layer and the internal transport layer. All certificates are generated by wazuh-dev.sh and mounted into the container.
KeyValueDescription
plugins.security.ssl.http.enabledtrueRequire HTTPS for all REST API connections
plugins.security.ssl.http.pemcert_filepath/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pemNode certificate for HTTPS
plugins.security.ssl.http.pemkey_filepath/usr/share/wazuh-indexer/config/certs/wazuh.indexer.keyPrivate key for the HTTPS certificate
plugins.security.ssl.http.pemtrustedcas_filepath/usr/share/wazuh-indexer/config/certs/root-ca.pemRoot CA that signed all cluster certificates
plugins.security.ssl.transport.pemcert_filepath/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pemNode certificate for transport layer
plugins.security.ssl.transport.pemkey_filepath/usr/share/wazuh-indexer/config/certs/wazuh.indexer.keyPrivate key for the transport certificate
plugins.security.ssl.transport.pemtrustedcas_filepath/usr/share/wazuh-indexer/config/certs/root-ca.pemRoot CA for transport layer trust
plugins.security.ssl.transport.enforce_hostname_verificationfalseDo not verify certificate CN against hostname on transport connections
plugins.security.ssl.transport.resolve_hostnamefalseDo not attempt DNS resolution during transport TLS handshake

Security Plugin — Identity and Authorization

KeyValueDescription
plugins.security.authcz.admin_dnCN=admin,OU=Wazuh,O=Wazuh,L=California,C=USDistinguished Name of the admin client certificate — this DN bypasses all access controls and is used for cluster configuration operations
plugins.security.nodes_dnCN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=USDN that identifies trusted cluster nodes for inter-node communication
plugins.security.check_snapshot_restore_write_privilegestrueRequire write privileges when restoring a snapshot
plugins.security.enable_snapshot_restore_privilegetrueEnable the snapshot/restore privilege in the security model
plugins.security.allow_default_init_securityindextrueInitialize the security index with defaults if it does not exist on startup
plugins.security.restapi.roles_enabled["all_access", "security_rest_api_access"]Roles permitted to use the REST Management API for security configuration

System Indices

System indices hold internal OpenSearch plugin state. Access to these indices is restricted to prevent accidental modification.
Index PatternPlugin
.opendistro-alerting-configAlerting configuration
.opendistro-alerting-alert*Alerting active alerts
.opendistro-anomaly-results*Anomaly detection results
.opendistro-anomaly-detector*Anomaly detector configs
.opendistro-anomaly-checkpointsAnomaly detection checkpoints
.opendistro-anomaly-detection-stateAnomaly detection state
.opendistro-reports-*Reports plugin data
.opendistro-notifications-*Notifications plugin data
.opendistro-notebooksNotebooks plugin data
.opensearch-observabilityObservability plugin data
.opendistro-asynchronous-search-response*Async search responses
.replication-metadata-storeCross-cluster replication metadata

Full wazuh.indexer.yml

network.host: "0.0.0.0"
node.name: "wazuh.indexer"
cluster.name: "wazuh-cluster"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
http.port: 9200-9299
transport.tcp.port: 9300-9399
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
  - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
  - "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
  - "all_access"
  - "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices:
  [
    ".opendistro-alerting-config",
    ".opendistro-alerting-alert*",
    ".opendistro-anomaly-results*",
    ".opendistro-anomaly-detector*",
    ".opendistro-anomaly-checkpoints",
    ".opendistro-anomaly-detection-state",
    ".opendistro-reports-*",
    ".opendistro-notifications-*",
    ".opendistro-notebooks",
    ".opensearch-observability",
    ".opendistro-asynchronous-search-response*",
    ".replication-metadata-store",
  ]
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false

internal_users.yml — User Management

The internal_users.yml file is the OpenSearch Security plugin’s built-in user database. Each entry stores a bcrypt password hash and a list of backend roles. The security plugin maps backend roles to permissions through role mappings defined separately in roles_mapping.yml. The file follows this structure:
_meta:
  type: "internalusers"
  config_version: 2

<username>:
  hash: "<bcrypt_hash>"
  reserved: <true|false>
  backend_roles:
    - "<role>"
  description: "<description>"

Default Users

UsernameReservedBackend Role(s)Description
admintrueadminFull administrative access. Reserved — cannot be deleted via the API
kibanaservertrueService account used by the Wazuh Dashboard to communicate with the Indexer. Reserved
kibanarofalsekibanauser, readallRead-only Dashboard user with index read permissions
logstashfalselogstashIngest account for Logstash pipelines
readallfalsereadallRead-only access to all indices
snapshotrestorefalsesnapshotrestorePermission to create and restore index snapshots
tfgadminfalseadminCustom administrator account added for this Simovilab deployment
reserved: true means the user cannot be modified or deleted through the REST API — only by editing internal_users.yml directly and re-running the securityadmin tool.

Adding a Custom User

The wazuh-dev.sh helper script automates user creation so you do not need to run securityadmin manually. Set the following variables in your .env file before running the script:
MY_USERNAME=myuser
MY_PASSWORD=MyStr0ngP@ssword!
The script then:
1

Hash the password

Runs the OpenSearch Security hash tool inside a temporary container to produce a bcrypt hash:
docker run --rm wazuh/wazuh-indexer:4.14.5 \
  /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh \
  -p "$MY_PASSWORD"
2

Upsert the user

Writes the username and bcrypt hash into config/wazuh_indexer/internal_users.yml, creating a new entry or updating the hash if the user already exists.
3

Apply the configuration

Runs securityadmin.sh inside the running Indexer container to push the updated user database to the live cluster without a restart.

Java Heap Settings

The Indexer’s JVM heap is configured via the OPENSEARCH_JAVA_OPTS environment variable in docker-compose.yml:
environment:
  - OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g
The default allocation is 1 GB initial and maximum heap. For production deployments:
Set Xms and Xmx to the same value to prevent heap resizing pauses. A good starting point is 50% of the host’s available RAM, up to a maximum of 32 GB (beyond which the JVM loses compressed ordinary object pointer efficiency). For example, on a host with 8 GB RAM: -Xms4g -Xmx4g.
Update the value in docker-compose.yml and restart the Indexer:
docker compose restart wazuh.indexer

Build docs developers (and LLMs) love