Wazuh

Server install

curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

As install finishes, keep an eye out for your default admin password. If you miss it:

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Make groups for your endpoints to drop into

/var/ossec/bin/agent_groups -a -g Windows -q
/var/ossec/bin/agent_groups -a -g macOS -q
/var/ossec/bin/agent_groups -a -g Linux -q

Add agents

Head to https://your.wazuh-server.com/app/endpoints-summary#/agents-preview/deploy to fill out the connection info to generate an install file for the appropriate OS.

Check if Wazuh is running

systemctl status wazuh-manager

Main config file to edit

sudo nano /var/ossec/etc/ossec.conf

Review server logs/statuses

systemctl status wazuh-manager
systemctl status wazuh-indexer
sudo tail -f /var/ossec/logs/ossec.log 
sudo cat wazuh-indexer/wazuh-cluster.log
sudo filebeat test output

Starting/restarting services if necessary

sudo systemctl restart wazuh-indexer
sudo systemctl restart wazuh-manager

Reset all passwords

Pre-flight checks

Before running the password tool, the indexer cluster must be healthy (yellow or green, not red). If it's red, the tool will hang on "wait for YELLOW clusterstate" forever.

# Verify indexer is running and listening
sudo systemctl status wazuh-indexer
sudo ss -tlnp | grep 9200

# Verify cluster health (must be yellow or green)
sudo curl -k --cert /etc/wazuh-indexer/certs/admin.pem \
  --key /etc/wazuh-indexer/certs/admin-key.pem \
  https://127.0.0.1:9200/_cluster/health?pretty

Also verify ownership on the backup directory — root-owned files here cause silent failures:

sudo ls -la /etc/wazuh-indexer/ | grep backup
# Should show: drwxr-x--- wazuh-indexer wazuh-indexer
# If owned by root, fix it:
sudo chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/backup
sudo chmod 750 /etc/wazuh-indexer/backup

Step 1: Reset all indexer passwords

sudo /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -a -v 2>&1 | sudo tee /root/wazuh-pw-reset-$(date +%Y%m%d-%H%M).log

What the flags mean:

-a — change ALL internal users (auto-generate new passwords)
-v — verbose
-A — also rotate the Wazuh API admin password (requires current API creds; skip if unknown)
-u USER -p PASS — change a single user to a specific password

Save these from the output to your password manager:

admin ← used for browser login
kibanaserver ← used by dashboard service to talk to indexer
kibanaro, logstash, readall, snapshotrestore, anomalyadmin ← rarely used directly, but save them

The script also auto-updates the filebeat keystore for you (no manual step needed).

After saving passwords:

sudo shred -u /root/wazuh-pw-reset-*.log

Step 2: Update dashboard keystore (required after admin/kibanaserver password change)

The dashboard authenticates to the indexer using credentials in its keystore. After a password reset, this keystore is stale.

# Update the dashboard's stored username (should be kibanaserver, not admin)
sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore remove opensearch.username --allow-root
sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.username --allow-root
# At prompt: kibanaserver

# Update the password
sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore remove opensearch.password --allow-root
sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.password --allow-root
# At prompt: paste the kibanaserver password

Important: the dashboard service uses kibanaserver to query the indexer, NOT admin. Browser login uses admin, but that's separate.

Step 3: Restart services in the right order

sudo systemctl restart filebeat
sudo systemctl restart wazuh-dashboard

wazuh-indexer and wazuh-manager don't need restarting after password changes.

Step 4: Verify

# Filebeat → indexer connection
sudo filebeat test output

# Dashboard logs (look for "Server running at" — no [ResponseError] floods)
sudo journalctl -u wazuh-dashboard -n 30 --no-pager

# Browser login: https://<wazuh-ip> as admin

Resetting the Wazuh API admin password (separate procedure)

The Wazuh API (port 55000) has its OWN admin user and password, separate from the indexer. To reset:

# Method A: with -A flag if you know current API password
sudo /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -au <current_api_user> -ap <current_api_password> -A

# Method B: if you don't know it, edit the API user file directly
# (See Wazuh docs — involves editing /var/ossec/api/configuration/security/users.yaml
#  and running a Python tool)

After resetting the API password, update it in the dashboard's Wazuh app config:

sudo nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
# Update the password field for the API connection
sudo systemctl restart wazuh-dashboard

Common gotchas

ERR: Seems there is no OpenSearch running on 127.0.0.1:9200 — indexer is down or unhealthy. Don't proceed; fix indexer first.
Tool hangs on "wait for YELLOW clusterstate" — cluster is red OR memory-starved (check heap via ps -ef | grep Xmx). Fix cluster first.
AccessDeniedException: /etc/wazuh-indexer/backup — directory ownership wrong. chown -R wazuh-indexer:wazuh-indexer.
Dashboard "Server is not ready yet" + [ResponseError] loop — keystore credentials don't match what's in the indexer. Re-run the keystore update with kibanaserver creds.
Don't reuse passwords across users — script auto-generates strong unique ones, just save them.

Agents

Starting/restarting services

Linux:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo tail -f /var/ossec/logs/ossec.log

Macs:

sudo /Library/Ossec/bin/wazuh-control restart

Windows:

NET STOP WazuhSvc
NET START WazuhSvc

Last updated on 2026-05-04