Wazuh Dashboard Configuration - Settings and Modules
Wazuh Dashboard is the platform’s web interface built on OpenSearch Dashboards. Security analysts use it to work with alerts, review vulnerabilities, monitor agent status, and generate reports. Proper Dashboard configuration directly impacts day-to-day SIEM operations - from page load times to module availability and SSO behavior. This guide covers the key configuration files, built-in modules, custom visualization creation, and resolution of common issues.
Configuring opensearch_dashboards.yml
The primary OpenSearch Dashboards configuration file is located at /etc/wazuh-dashboard/opensearch_dashboards.yml. It defines network settings, Indexer connectivity, and TLS parameters.
Key settings
# Network interface to bind to
# 0.0.0.0 - all interfaces, 127.0.0.1 - localhost only
server.host: 0.0.0.0
# Web interface port (default 443)
server.port: 443
# Wazuh Indexer node addresses
opensearch.hosts:
- https://192.168.1.10:9200
- https://192.168.1.11:9200
# Credentials for Indexer connection
opensearch.username: kibanaserver
opensearch.password: <KIBANASERVER_PASSWORD>
# TLS certificates for Dashboard
server.ssl.enabled: true
server.ssl.certificate: /etc/wazuh-dashboard/certs/dashboard.pem
server.ssl.key: /etc/wazuh-dashboard/certs/dashboard-key.pem
# Root CA certificate for Indexer verification
opensearch.ssl.certificateAuthorities:
- /etc/wazuh-dashboard/certs/root-ca.pem
# Indexer certificate verification mode
opensearch.ssl.verificationMode: full
# Base path (when using a reverse proxy)
# server.basePath: "/wazuh"
# server.rewriteBasePath: true
# Logging
logging.dest: /var/log/wazuh-dashboard/opensearch-dashboards.log
logging.verbose: falseMulti-node Indexer configuration
When running multiple Indexer nodes, list all addresses in opensearch.hosts. Dashboard will automatically distribute requests across nodes:
opensearch.hosts:
- https://indexer-node1:9200
- https://indexer-node2:9200
- https://indexer-node3:9200Connection timeouts
# Indexer connection timeout (ms)
opensearch.requestTimeout: 30000
# Ping timeout for availability checks
opensearch.pingTimeout: 30000
# Cluster health check interval
opensearch.healthCheck.delay: 2500Wazuh Plugin Configuration (wazuh.yml)
The file /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml contains settings for the Wazuh plugin within Dashboard.
Connecting to the Wazuh API
hosts:
- production:
url: https://192.168.1.5
port: 55000
username: wazuh-wui
password: <WUI_PASSWORD>
run_as: false
- staging:
url: https://10.0.0.5
port: 55000
username: wazuh-wui
password: <WUI_PASSWORD>
run_as: falseWhen multiple API hosts are configured, users can switch between them in the Dashboard interface through Management - API Configuration.
Monitoring settings
# Agent status monitoring
wazuh.monitoring.enabled: true
wazuh.monitoring.frequency: 900
wazuh.monitoring.pattern: wazuh-monitoring-*
wazuh.monitoring.creation: w
# Health checks on startup
checks.pattern: true
checks.template: true
checks.api: true
checks.setup: true
checks.fields: trueIndex pattern settings
# Default alert pattern
pattern: wazuh-alerts-*
# Default index for Wazuh
# Used when creating visualizations
ip.selector: true
ip.ignore:
- wazuh-monitoring-*
- wazuh-statistics-*Dashboard Modules
Wazuh Dashboard includes specialized modules for various security monitoring aspects.
Security Events
The central module for alert management. It provides:
- Alert timeline with filtering by level, group, and agent
- Detailed view of each alert with decoded fields
- CSV export for external analysis
- Search using WQL (Wazuh Query Language)
WQL filtering supports the following syntax:
rule.level > 10 AND agent.name = "web-server-01"
rule.groups : "authentication" AND NOT rule.level < 5
data.srcip : "192.168.*"Integrity Monitoring (FIM)
File system change tracking:
- Added, modified, and deleted files
- Permission and ownership changes
- Diff - content comparison before and after modification
- Filtering by agent, path, and event type
Vulnerabilities
Endpoint vulnerability management:
- List of detected CVEs with severity ratings (CVSS)
- Filtering by agent, package, and severity
- Links to NVD and vendor-specific advisory databases
- Per-agent vulnerability count statistics
Regulatory Compliance
Mapping alerts to regulatory requirements:
- PCI DSS - Payment Card Industry Data Security Standard
- HIPAA - Health Insurance Portability and Accountability Act
- NIST 800-53 - Security and Privacy Controls catalog
- GDPR - General Data Protection Regulation
- TSC (SOC 2) - Trust Services Criteria
Each standard has dedicated dashboards that map alerts to specific controls.
Security Configuration Assessment (SCA)
System configuration auditing:
- Assessment results based on CIS Benchmarks
- Status of each check: passed, failed, not applicable
- Compliance percentage for each profile
- Detailed description of each control with remediation guidance
Agents
Agent management and monitoring:
- Agent list with status indicators (Active, Disconnected, Never connected, Pending)
- Detailed agent information: OS, version, groups, IP address
- Inventory data: packages, processes, ports, network interfaces
- Connection history
Management
Administrative functions:
- Rule and decoder management
- Agent group management
- CDB list configuration
- API connection settings
- Manager logs
- Statistics and cluster status
Custom Dashboards and Visualizations
Creating an index pattern
Before creating visualizations, you need to set up an index pattern:
- Navigate to OpenSearch Dashboards - Stack Management - Index Patterns
- Click Create index pattern
- Enter the pattern:
wazuh-alerts-* - Select the time field:
timestamp - Click Create index pattern
Creating a visualization
- Navigate to OpenSearch Dashboards - Visualize
- Select the visualization type (Area, Bar, Pie, Line, Data Table, Metric, Gauge)
- Select the
wazuh-alerts-*index pattern - Configure aggregations and metrics
Example configuration for a pie chart of top 10 rules:
- Metric: Count
- Buckets - Split Slices: Terms, field:
rule.description.keyword, size: 10 - Save the visualization
Creating a dashboard
- Navigate to OpenSearch Dashboards - Dashboard
- Click Create new dashboard
- Add visualizations through Add panel
- Arrange and resize panels as needed
- Save the dashboard
Saved Objects
Visualizations and dashboards are stored as Saved Objects. To export and import:
- Navigate to Stack Management - Saved Objects
- Select objects to export
- Click Export - an NDJSON file will be created
- To import, use the Import button and upload the NDJSON file
Exported objects can be version-controlled in Git and deployed to other Dashboard instances.
Reporting
PDF/CSV generation
Wazuh Dashboard supports creating reports in PDF and CSV formats:
- Open the desired module (Security Events, Vulnerabilities, etc.)
- Configure filters and time range
- Click Generate report in the upper right corner
- Select the format: PDF or CSV
- The report will be available in Management - Reporting
Report contents
Reports include:
- Header with time range and applied filters
- Alert tables with key fields
- Charts and visualizations from the current view
- Summary statistics for the module
Scheduled reports
To configure periodic report generation, use the OpenSearch Dashboards Reporting plugin:
- Navigate to OpenSearch Dashboards - Reporting
- Click Create report definition
- Configure:
- Report source: Dashboard or Visualization
- Format: PDF or CSV
- Schedule: cron expression (e.g.,
0 8 * * 1- every Monday at 8:00 AM)
- Optionally configure recipients through Notification channels
Multi-tenancy
Multi-tenancy allows isolating dashboards, visualizations, and index patterns for different teams or departments.
Enabling multi-tenancy
In /etc/wazuh-indexer/opensearch-security/config.yml:
config:
dynamic:
kibana:
multitenancy_enabled: true
server_username: kibanaserver
index: .kibanaCreating tenants
Through the OpenSearch Dashboards Security plugin:
- Navigate to Security - Tenants
- Click Create tenant
- Specify a name and description
Through the API:
curl -sk -u admin:$PASSWORD \
-XPUT "https://localhost:9200/_plugins/_security/api/tenants/soc-team" \
-H "Content-Type: application/json" \
-d '{ "description": "SOC team workspace" }'Assigning tenants to roles
curl -sk -u admin:$PASSWORD \
-XPUT "https://localhost:9200/_plugins/_security/api/rolesmapping/soc_analyst" \
-H "Content-Type: application/json" \
-d '{
"backend_roles": ["soc-analysts"],
"hosts": [],
"users": ["analyst1", "analyst2"],
"and_backend_roles": []
}'Switching between tenants
Users can switch tenants through the user menu in the upper right corner of Dashboard - Switch Tenants. Each tenant maintains its own set of dashboards and visualizations.
Custom Branding
Logo and title
In opensearch_dashboards.yml:
# Login page logo
opensearch_dashboards.branding.logo.defaultUrl: "/ui/custom-logo.svg"
# Sidebar logo
opensearch_dashboards.branding.mark.defaultUrl: "/ui/custom-mark.svg"
# Application title
opensearch_dashboards.branding.applicationTitle: "Security Operations Center"
# Loading screen
opensearch_dashboards.branding.loadingLogo.defaultUrl: "/ui/custom-loading.svg"
# Favicon
opensearch_dashboards.branding.faviconUrl: "/ui/custom-favicon.ico"File placement
Logo files should be placed in /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/ or referenced as external resource URLs.
Custom footer
To add custom footer text, edit the Dashboard template or use CSS injection through opensearch_dashboards.yml:
opensearch_dashboards.branding.useExpandedHeader: falseSSO Integration (SAML/OIDC)
SAML authentication
Configuration in /etc/wazuh-indexer/opensearch-security/config.yml:
config:
dynamic:
authc:
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: "https://idp.example.com/metadata"
entity_id: "urn:example:idp"
sp:
entity_id: "https://wazuh-dashboard.example.com"
kibana_url: "https://wazuh-dashboard.example.com"
subject_key: "NameID"
roles_key: "Role"
exchange_key: "<32_CHAR_SECRET>"
authentication_backend:
type: noopAdd the following to opensearch_dashboards.yml:
opensearch_security.auth.type: "saml"
server.xsrf.allowlist:
- "/_opendistro/_security/saml/acs"
- "/_opendistro/_security/saml/acs/idpinitiated"
- "/_opendistro/_security/saml/logout"OIDC authentication
config:
dynamic:
authc:
oidc_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: "https://idp.example.com/.well-known/openid-configuration"
subject_key: "preferred_username"
roles_key: "roles"
authentication_backend:
type: noopIn opensearch_dashboards.yml:
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://idp.example.com/.well-known/openid-configuration"
opensearch_security.openid.client_id: "wazuh-dashboard"
opensearch_security.openid.client_secret: "<CLIENT_SECRET>"Applying SSO configuration
After modifying config.yml, apply the changes using the security admin tool:
cd /usr/share/wazuh-indexer/plugins/opensearch-security/tools/
./securityadmin.sh \
-f /etc/wazuh-indexer/opensearch-security/config.yml \
-icl -nhnv \
-cacert /etc/wazuh-indexer/certs/root-ca.pem \
-cert /etc/wazuh-indexer/certs/admin.pem \
-key /etc/wazuh-indexer/certs/admin-key.pem \
-h localhostTroubleshooting
Blank page after login
Causes and solutions:
- Invalid certificate: verify that
server.ssl.certificateandserver.ssl.keypoint to valid files - No connection to Indexer: check
opensearch.hostsand port 9200 availability - Corrupted .kibana index: delete and allow Dashboard to recreate it
# Check Dashboard status
systemctl status wazuh-dashboard
# View logs
tail -100 /var/log/wazuh-dashboard/opensearch-dashboards.log
# Test Indexer connectivity
curl -sk -u kibanaserver:$PASSWORD "https://localhost:9200/_cluster/health"Wazuh API not reachable
Symptom: “Wazuh API not reachable” error in Dashboard modules.
Diagnostics:
# Test API availability
curl -sk -u wazuh-wui:$PASSWORD \
-X POST "https://localhost:55000/security/user/authenticate?raw=true"
# Check wazuh.yml configuration
cat /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.ymlSolutions:
- Verify that the IP address and port in
wazuh.ymlmatch the actual Wazuh Manager address - Check
wazuh-wuicredentials - Confirm that port 55000 is open between Dashboard and Manager
- When using HTTPS, verify certificates
Wazuh plugin errors
Symptom: Wazuh modules do not appear or display errors.
# Check installed plugins
/usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin list
# Reinstall the Wazuh plugin
/usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin remove wazuh
/usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install \
https://packages.wazuh.com/4.x/ui/dashboard/wazuh-4.14.4-1.zip
# Restart Dashboard
systemctl restart wazuh-dashboardPerformance issues
- Increase
node.optionsmemory:--max-old-space-size=2048in/etc/wazuh-dashboard/node.options - Reduce monitoring frequency in
wazuh.yml:wazuh.monitoring.frequency: 3600 - Disable unnecessary startup checks
Resetting the admin password
# Generate a hash for the new password
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
# Update internal_users.yml
# Apply changes
cd /usr/share/wazuh-indexer/plugins/opensearch-security/tools/
./securityadmin.sh \
-f /etc/wazuh-indexer/opensearch-security/internal_users.yml \
-icl -nhnv \
-cacert /etc/wazuh-indexer/certs/root-ca.pem \
-cert /etc/wazuh-indexer/certs/admin.pem \
-key /etc/wazuh-indexer/certs/admin-key.pem \
-h localhostAdditional Resources
- Wazuh Dashboard Installation - deploying Dashboard
- Wazuh Indexer API - querying data through the API
- Agent Management - agent enrollment and configuration
- Wazuh Architecture - platform component overview