Wazuh Server 4.14 Installation - Step-by-Step Guide

Wazuh Server is the central platform component that receives data from agents, performs event analysis, applies detection rules, and generates alerts. The server consists of two main sub-components: Wazuh Manager (event processing) and Filebeat (data forwarding to the indexer). Before installing the server, complete the Wazuh Indexer installation .

Prerequisites

Hardware requirements

Parameter	Minimum	Recommended
CPU	2 cores	8 cores
RAM	2 GB	8 GB
Disk	20 GB	50+ GB

Network requirements

Port	Purpose
1514/TCP	Agent data reception
1515/TCP	Agent enrollment
1516/TCP	Server cluster communication
55000/TCP	REST API

Dependencies

A running Wazuh Indexer instance
The wazuh-certificates.tar file created during indexer installation
Access to packages.wazuh.com

Adding the Repository

Ubuntu / Debian

apt-get install gnupg apt-transport-https
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring \
  --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" \
  | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

CentOS / RHEL 8 and earlier (YUM)

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' \
  | tee /etc/yum.repos.d/wazuh.repo

RHEL 9+ / CentOS Stream 10 (DNF)

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\npriority=1' \
  | tee /etc/yum.repos.d/wazuh.repo

Installing Wazuh Manager

Ubuntu / Debian

apt-get -y install wazuh-manager

CentOS / RHEL

yum -y install wazuh-manager

After installation, the manager starts automatically. Verify its status:

systemctl status wazuh-manager

Installing and Configuring Filebeat

Filebeat forwards alerts and archived events from Wazuh Manager to the Wazuh Indexer.

Install Filebeat

apt-get -y install filebeat    # Ubuntu / Debian
yum -y install filebeat        # CentOS / RHEL

Download configuration

curl -so /etc/filebeat/filebeat.yml \
  https://packages.wazuh.com/4.14/tpl/wazuh/filebeat/filebeat.yml

Configure the indexer connection

Edit /etc/filebeat/filebeat.yml with the indexer address:

output.elasticsearch:
  hosts: ["<INDEXER_IP>:9200"]
  protocol: https
  username: ${username}
  password: ${password}

For a multi-node indexer cluster, specify all nodes:

output.elasticsearch:
  hosts:
    - "<INDEXER_IP_1>:9200"
    - "<INDEXER_IP_2>:9200"
    - "<INDEXER_IP_3>:9200"
  protocol: https
  username: ${username}
  password: ${password}

Create the credential keystore

filebeat keystore create
echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force

Replace admin with the actual credentials for indexer access.

Download the Wazuh template and module

curl -so /etc/filebeat/wazuh-template.json \
  https://raw.githubusercontent.com/wazuh/wazuh/v4.14.4/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.5.tar.gz \
  | tar -xvz -C /usr/share/filebeat/module

Configuring the Indexer Connection in ossec.conf

Starting with Wazuh 4.14, the manager can communicate directly with the indexer. Configure the credentials:

echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Edit /var/ossec/etc/ossec.conf and add the <indexer> section:

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://<INDEXER_IP>:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

Key ossec.conf sections

The file /var/ossec/etc/ossec.conf contains the main manager configuration. Key sections:

Section	Description
`<global>`	General settings: email notifications, logging level
`<alerts>`	Minimum alert level for log recording
`<remote>`	Agent connection settings
`<rootcheck>`	Rootkit detection
`<syscheck>`	File integrity monitoring (FIM)
`<vulnerability-detector>`	Vulnerability scanning
`<indexer>`	Wazuh Indexer connection
`<cluster>`	Cluster configuration

Deploying Certificates for Filebeat

NODE_NAME=wazuh-1

mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ \
  ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem

mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem

chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Replace wazuh-1 with the server node name specified in config.yml during certificate generation.

Starting Services

Wazuh Manager

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

Filebeat

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Cluster Configuration

Wazuh Server supports master/worker clustering for fault tolerance and horizontal scaling.

Master node configuration

Edit /var/ossec/etc/ossec.conf on the master node:

<cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node><MASTER_NODE_IP></node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

Worker node configuration

On each worker node, install Wazuh Manager and Filebeat, then edit /var/ossec/etc/ossec.conf:

<cluster>
  <name>wazuh</name>
  <node_name>worker-01</node_name>
  <node_type>worker</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node><MASTER_NODE_IP></node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

Key cluster parameters:

Parameter	Description
`name`	Cluster name, identical on all nodes
`node_name`	Unique name for each node
`node_type`	`master` or `worker`
`key`	Shared authentication key (32 hex characters), identical on all nodes
`nodes`	IP address of the master node

Generate a cluster key:

openssl rand -hex 16

After configuration, restart the manager on all nodes:

systemctl restart wazuh-manager

Verifying the Installation

Check manager status

systemctl status wazuh-manager

Verify Filebeat

filebeat test output

Expected output:

elasticsearch: https://<INDEXER_IP>:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: <IP>
    dial up... OK
    TLS...
      security: server's certificate chain verification is enabled
      ...
    talk to server... OK
  ...

Check the server cluster

/var/ossec/bin/cluster_control -l

This command lists all cluster nodes with their type, version, and status.

Verify through the REST API

TOKEN=$(curl -sk -u wazuh-wui:<WUI_PASSWORD> \
  -X POST "https://localhost:55000/security/user/authenticate?raw=true")

curl -sk -H "Authorization: Bearer $TOKEN" \
  "https://localhost:55000/manager/info" | python3 -m json.tool

Troubleshooting

Manager fails to start

journalctl -u wazuh-manager -xe
cat /var/ossec/logs/ossec.log | tail -50

Common causes:

Errors in ossec.conf - validate XML syntax: /var/ossec/bin/wazuh-analysisd -t
Port 1514 or 1515 is occupied by another process
Insufficient permissions on configuration files

Filebeat cannot connect to the indexer

Verify indexer availability: curl -k -u admin https://<INDEXER_IP>:9200
Confirm keystore credentials are correct
Check certificates: correct files, 400 permissions, root ownership

Worker cannot connect to master

Verify that the cluster key (<key>) is identical on all nodes
Check network connectivity on port 1516 between nodes
Confirm that <nodes> contains the master IP, not the worker IP

Agents fail to enroll

Verify port 1515 (enrollment) is accessible on the server
Confirm that the firewall does not block ports 1514-1515
Check logs: cat /var/ossec/logs/ossec.log | grep -i "error\|warn"

Disabling Automatic Updates

Ubuntu / Debian:

sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt-get update

CentOS / RHEL:

sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Next Steps

Wazuh Dashboard Installation - the next component in the installation sequence
Wazuh Agent Installation - deploy agents to monitored endpoints
Wazuh Architecture - detailed platform architecture overview

Last updated on 8, April 2026

Wazuh Indexer 4.14 Installation - Step-by-Step Guide