Documentation
Wazuh 4.14 Documentation - SIEM/XDR Platform Guide
Wazuh Infrastructure - Clusters, API, and Management

Wazuh Infrastructure - Clusters, API, and Management

Wazuh 4.14 infrastructure consists of several components responsible for collecting, processing, storing, and visualizing security data across distributed environments. Proper configuration of the infrastructure layer determines the overall performance, fault tolerance, and scalability of the platform.

Infrastructure Components

Wazuh separates infrastructure into three key layers: the server cluster for event analysis, the REST API for programmatic management, and the indexer cluster for data storage and search. Each layer scales independently, allowing organizations to tailor the architecture to their specific requirements.

Wazuh Server Cluster

The Wazuh server cluster combines multiple managers (master and worker nodes) to distribute event analysis workloads. A synchronization mechanism ensures consistency of rules, decoders, CDB lists, and agent group configurations across all nodes. The cluster architecture supports thousands of agents with load balancing and automatic failover.

Wazuh Server REST API

The REST API provides a programmatic interface for managing every aspect of the platform: agents, rules, decoders, groups, manager configuration, and cluster operations. The API runs over HTTPS on port 55000, authenticates via JWT tokens, and enforces role-based access control (RBAC). Common use cases include integration with external systems, operations automation, and custom tooling development.

Wazuh Indexer Cluster

The OpenSearch-based indexer cluster handles long-term storage, indexing, and search of security events. The architecture supports data distribution across shards, replication for fault tolerance, and index lifecycle management (ISM). JVM tuning, shard strategy, and index rotation policies directly affect storage performance.

Component Interaction

The server cluster receives events from agents over port 1514/TCP, analyzes them using rules and decoders, then forwards results to the indexer via Filebeat on port 9200/TCP. The REST API on port 55000 enables cluster configuration management, while the dashboard on port 443 provides data visualization from the indexer.

For a detailed description of architecture and data flows , refer to the getting started section. For component installation, see the Wazuh installation guide .

Scaling Considerations

When planning infrastructure, consider the number of agents, the volume of generated events (EPS), and data retention requirements. General recommendations:

Agent CountServer ClusterIndexerRAM (Indexer)
Up to 1001 node (standalone)1 node4-8 GB
100-5002 nodes (master + worker)3 nodes8-16 GB per node
500-50003-5 nodes3-5 nodes16-32 GB per node
5000+5+ nodes5+ nodes32+ GB per node

Detailed tuning recommendations for each component are available in the corresponding documentation sections.

Last updated on