Wazuh Indexer 4.14 Installation - Step-by-Step Guide

Wazuh Indexer is the platform component built on OpenSearch that handles storage, indexing, and searching of security data. This guide covers step-by-step indexer installation for distributed deployments. For a single-host installation of all components, refer to the quickstart .

Prerequisites

Hardware requirements

The complete requirements table is available in the installation overview .

Supported operating systems

• Amazon Linux 2, Amazon Linux 2023
• CentOS Stream 10
• Red Hat Enterprise Linux 7, 8, 9, 10
• Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04

Network requirements

• Port 9200/TCP - REST API (HTTPS)
• Port 9300-9400/TCP - cluster inter-node communication
• Access to packages.wazuh.com for package downloads

Certificate Generation

Wazuh uses TLS certificates to encrypt communication between all components. Certificates are generated once and distributed to all nodes.

Download the tools

curl -sO https://packages.wazuh.com/4.14/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.14/config.yml

Configure node definitions

Edit the config.yml file with the IP addresses of all platform nodes:

nodes:
  indexer:
    - name: node-1
      ip: "<INDEXER_IP_1>"
    - name: node-2
      ip: "<INDEXER_IP_2>"
    - name: node-3
      ip: "<INDEXER_IP_3>"

  server:
    - name: wazuh-1
      ip: "<SERVER_IP>"

  dashboard:
    - name: dashboard
      ip: "<DASHBOARD_IP>"

For a single-node indexer configuration, keep only one entry in the indexer section.

Generate certificates

bash ./wazuh-certs-tool.sh -A

The script creates a wazuh-certificates/ directory containing certificates for all nodes.

Package and distribute

tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates

Copy the wazuh-certificates.tar file to all platform nodes. This archive is needed during the installation of each component.

Adding the Repository

Ubuntu / Debian

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring \
  --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" \
  | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

CentOS / RHEL 8 and earlier (YUM)

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' \
  | tee /etc/yum.repos.d/wazuh.repo

RHEL 9+ / CentOS Stream 10 (DNF)

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\npriority=1' \
  | tee /etc/yum.repos.d/wazuh.repo

Installing the Package

Ubuntu / Debian

apt-get install debconf adduser procps
apt-get -y install wazuh-indexer

CentOS / RHEL

yum -y install wazuh-indexer

Configuring opensearch.yml

Edit /etc/wazuh-indexer/opensearch.yml:

network.host: "<THIS_NODE_IP>"
node.name: "node-1"

cluster.initial_master_nodes:
  - "node-1"
  - "node-2"
  - "node-3"

discovery.seed_hosts:
  - "<INDEXER_IP_1>"
  - "<INDEXER_IP_2>"
  - "<INDEXER_IP_3>"

plugins.security.nodes_dn:
  - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
  - "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
  - "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"

For a single-node configuration, specify only one node in all sections and add:

discovery.type: single-node

Key parameters

Deploying Certificates

NODE_NAME=node-1

mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ \
  ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem

mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem

chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Replace node-1 with the name of the current node as specified in config.yml.

Starting the Service

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

Repeat the installation, configuration, and certificate deployment steps on each indexer node.

Initializing the Security Cluster

After all indexer nodes are running, execute the security initialization on any one node:

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

This command loads the security configuration (roles, users, permissions) into the indexer. It is executed only once for the entire cluster.

Multi-node Cluster Setup

When deploying a multi-node cluster:

1. Generate certificates specifying all nodes in config.yml
2. Install the wazuh-indexer package on each node
3. Configure opensearch.yml on each node with a unique node.name and network.host
4. Deploy the corresponding certificates to each node
5. Start the service on all nodes
6. Execute indexer-security-init.sh on any single node

All nodes must use identical values for cluster.initial_master_nodes and discovery.seed_hosts.

JVM Heap Tuning

The default JVM heap is set to 1 GB. For production environments, this value should be increased.

Edit /etc/wazuh-indexer/jvm.options:

-Xms4g
-Xmx4g

Tuning guidelines:

• Set -Xms and -Xmx to identical values
• Do not allocate more than 50% of available RAM
• Do not exceed 32 GB (JVM compressed oops threshold)
• For 16 GB RAM, the optimal value is 8 GB heap

Restart the service after modification:

systemctl restart wazuh-indexer

Verifying the Installation

Check node availability

curl -k -u admin https://<INDEXER_IP>:9200

Expected response:

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "...",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.19.4",
    ...
  }
}

Check cluster nodes

curl -k -u admin https://<INDEXER_IP>:9200/_cat/nodes?v

The output should list all cluster nodes with their assigned roles.

Check cluster health

curl -k -u admin https://<INDEXER_IP>:9200/_cluster/health?pretty

The status value should be green for a fully operational cluster.

Troubleshooting

Service fails to start

Check the journal:

journalctl -u wazuh-indexer -xe

Common causes:

• Insufficient RAM for the JVM heap - reduce -Xms/-Xmx values
• Port 9200 or 9300 is occupied by another process
• Syntax errors in opensearch.yml - validate the YAML format

Certificate errors

• Verify that certificate filenames match expectations: indexer.pem, indexer-key.pem, root-ca.pem
• Check permissions: files must be 400, the directory must be 500
• Owner must be wazuh-indexer:wazuh-indexer

Nodes fail to form a cluster

• Verify network connectivity between nodes (ports 9200 and 9300-9400)
• Confirm that cluster.initial_master_nodes and discovery.seed_hosts contain identical values across all nodes
• Verify that node.name is unique on each node

Security initialization fails

• Confirm that all nodes are running before executing indexer-security-init.sh
• Verify that admin.pem and admin-key.pem exist in the certificates directory

Disabling Automatic Updates

After a successful installation, disable the repository to prevent unintended upgrades:

Ubuntu / Debian:

sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt-get update

CentOS / RHEL:

sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Next Steps

After installing the indexer, proceed with the server installation:

• Wazuh Server Installation - the next component in the installation sequence
• Wazuh Dashboard Installation - web interface installation