To install Wazuh on Linux, use the official all-in-one installation script: download wazuh-install.sh, run it, and in 15-20 minutes you'll have the Wazuh Indexer, Server and Dashboard up and running. Compatible with Ubuntu 24.04, 22.04, Debian 12, CentOS 8/9 and Rocky Linux.
Which Wazuh components are installed and which do you need?
In this guide I'll show you how to install Wazuh on a Linux server quickly and easily. We'll cover both the all-in-one method (all components on a single server) and the separate component installation for larger production environments. This guide works for Ubuntu 24.04, 22.04, Debian 12, CentOS 8/9 and Rocky Linux.
Video: Installing Wazuh on Linux
18 minutes - Step by step with hands-on examples
Wazuh architecture: which components do you need?
Before installing, it's important to understand the three main components of Wazuh:
- Wazuh Indexer: Stores and lets you search all events and alerts. Based on OpenSearch.
- Wazuh Server (Manager): Receives data from the agents, analyzes logs, runs detection rules and generates alerts.
- Wazuh Dashboard: Web interface to visualize alerts, search events, manage agents and generate reports.
In addition, you'll need to install Wazuh Agents on every server or endpoint you want to monitor.
Installation methods
You have two main options to install Wazuh:
1. All-in-One installation (recommended to get started)
The all-in-one method installs the three components (Indexer, Server and Dashboard) on a single server with one command. It's perfect for:
- Test and lab environments
- Small businesses (up to 50-100 agents)
- Learning to use Wazuh before deploying it in production
Advantage: In less than 10 minutes you have Wazuh fully running, ready to add agents.
2. Installing components separately
For production environments with high availability or many agents, it's better to install each component on dedicated servers:
- A server (or cluster) for the Wazuh Indexer
- A server (or cluster) for the Wazuh Server
- A server for the Wazuh Dashboard
This lets you scale each component independently based on your needs.
System requirements
For an all-in-one installation, these are the minimum requirements:
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores | 4 cores |
| RAM | 4 GB | 8 GB |
| Disk | 50 GB | 100 GB SSD |
| Operating System | Ubuntu 22.04/24.04, Debian 11/12, CentOS 8/9, Rocky Linux 8/9 | |
Important: An SSD disk is highly recommended because the Indexer performs many read/write operations. With a traditional HDD, performance will be noticeably worse.
All-in-One installation step by step
Let's install Wazuh using the all-in-one method. You need root or sudo access to the server.
Step 1: Prepare the server
First, make sure the system is up to date:
# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
# CentOS/Rocky Linux
sudo dnf update -yStep 2: Download and run the installer
Wazuh provides an official script that automates the whole process. With a single command you download the script and run it:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
The -a flag indicates an all-in-one installation. The script:
- Automatically detects your operating system
- Installs all the required dependencies
- Configures the Wazuh Indexer, Server and Dashboard
- Generates SSL certificates automatically
- Starts all the services
The process takes between 5 and 15 minutes depending on the speed of your server and your internet connection.
Step 3: Save the credentials
When the installation finishes, the script will show you the access credentials for the Dashboard:
INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>
User: admin
Password: <GENERATED_PASSWORD>Important: Store this password somewhere safe. If you lose it, you'll have to reset it manually.
Step 4: Access the Dashboard
Open your browser and go to:
https://<YOUR_SERVER_IP>
Enter the user admin and the password you saved. You now have Wazuh up and running!
Installing components separately
If you need a distributed architecture, you can install each component on a different server. Wazuh provides detailed documentation for each case:
The process is similar: you download specific scripts and run them on each server. The main difference is that you must configure the communication between components (IPs, certificates, etc.).
Next step: install agents
With Wazuh installed, the next step is to install agents on the servers and endpoints you want to monitor. The agents collect logs, monitor files, detect vulnerabilities and send all that information to the Wazuh Server.
You can install agents on:
- Linux servers (Ubuntu, Debian, CentOS, Rocky, RHEL...)
- Windows servers (Server 2016, 2019, 2022)
- Windows 10/11 workstations
- macOS
- Docker containers
Check the official documentation: Install Wazuh Agent
Additional resources
- Official Wazuh Quickstart guide
- What is Wazuh and what is it used for?
- Monitoring Docker containers with Wazuh
Related articles:
- What is Wazuh and what is it used for?
- AI for Threat Hunting in Wazuh
- Monitoring Docker containers with Wazuh
Get Wazuh deployed the right way
This article is just the beginning. We can configure agents, build custom rules, integrate with other tools and much more as part of a professional implementation.