In this tutorial, you will learn how to install Wazuh SIEM server on RHEL 9/RHEL 10. The Wazuh platform offers XDR and SIEM functionalities aimed at safeguarding your cloud, container, and server workloads. These capabilities encompass the analysis of log data, detection of intrusions and malware, monitoring file integrity, assessing configurations, identifying vulnerabilities, and ensuring compliance with regulatory standards.
Table of Contents
Install Wazuh SIEM Server on RHEL 9/RHEL 10
Wazuh SIEM Capabilities
Wazuh can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh provides the following capabilities:
- Security Analytics
- Intrusion Detection
- Log Data Analysis
- File Integrity Monitoring
- Vulnerability Detection
- Configuration Assessment
- Incident Response
- Regulatory Compliance
- Cloud Security Monitoring
- Containers Security
Major Wazuh SIEM Server Components
Wazuh SIEM server is made up of various components;
- Wazuh Indexer: This is a highly scalable, full-text search and analytics engine that indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. Wazuh indexer is a open source fork of OpenSearch. It can be installed on the same node as Wazuh server and dashboard or on an individual node if you are using a distributed setup.
- Wazuh Server: The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when threats or anomalies are detected. It is also used to remotely manage the agents’ configuration and monitor their status.
- Wazuh Dashboard: It provides intuitive web interface for mining, analyzing, and visualizing security data. It provides out-of-the-box dashboards, allowing you to seamlessly navigate through the user interface.
- Wazuh agent. These are the agents installed and run on the endpoints that the user wants to monitor. It communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel for processing.
Wazuh SIEM System Hardware Requirements
Each Wazuh SIEM server component requires various system hardware specs to function optimally.
Below are the minimum and recommended hardware requirements for each component.
- Wazuh Indexer:
- Minimum: 4 GB RAM, 2 CPU cores
- Recommended: 16 GB RAM, 8 CPU cores
- Disk: disk space required varies with the number of generated alerts per second (APS).
- Wazuh Server:
- Minimum: 2 GB RAM, 2 CPU cores
- Recommended: 4 GB RAM, 8 CPU cores
- Disk: disk space required varies with the number of generated alerts per second (APS).
- Wazuh Dashboard:
- Minimum: 4 GB RAM, 2 CPU cores
- Recommended: 8 GB RAM, 4 CPU cores
- Disk: disk space required varies with the number of generated alerts per second (APS).
In this tutorial, we will be installing the major components of Wazuh on a single node. Hence, here are our system hardware specs.
RAM: 8G
free -h total used free shared buff/cache available
Mem: 7.5Gi 620Mi 6.9Gi 12Mi 196Mi 6.9Gi
Swap: 2.0Gi 0B 2.0Gi
CPU Cores:
nproc --all4Disk space;
df -hT -P /Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/rhel-root xfs 47G 2.6G 45G 6% /
Next, proceed to install Wazuh SIEM server. As already mentioned, we will deploy all Wazuh components (Wazuh indexer, Wazuh server and Wazuh dashboard) on a single node.
Install Wazuh RPM Repository
To smoothly run the installation of Wazuh SIEM components on RHEL 9/RHEL 10, you need to install Wazuh repository.
Thus, to begin with, elevate your privileges:
sudo su -Install Wazuh repository GPG signing key on RHEL 9/RHEL 10.
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUHInstall the Wazuh 4.x repository;
cat > /etc/yum.repos.d/wazuh.repo << 'EOF'
[wazuh]
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
priority=1
EOFGenerate Wazuh SSL/TLS Certificates
Generate SSL/TLS certificates that will be used to encrypt communication between the Wazuh SIEM components.
Wazuh provides some script that can be used to generate the certificates.
Therefore, replace the value of the VER below with the current major release version of Wazuh;
VER=4.13Then, download the tools required to generate the certificates;
wget https://packages.wazuh.com/${VER}/wazuh-certs-tool.shDownload a configuration file that helps you define the IP address and name of each Wazuh node.These values are also used as Subject Alternative Names (SANs) when generating SSL/TLS certificates to ensure secure and trusted communication between nodes.
wget https://packages.wazuh.com/${VER}/config.ymlBy default, this is how the configuration looks like;
cat config.ymlnodes:
# Wazuh indexer nodes
indexer:
- name: node-1
ip: "<indexer-node-ip>"
#- name: node-2
# ip: "<indexer-node-ip>"
#- name: node-3
# ip: "<indexer-node-ip>"
# Wazuh server nodes
# If there is more than one Wazuh server
# node, each one must have a node_type
server:
- name: wazuh-1
ip: "<wazuh-manager-ip>"
# node_type: master
#- name: wazuh-2
# ip: "<wazuh-manager-ip>"
# node_type: worker
#- name: wazuh-3
# ip: "<wazuh-manager-ip>"
# node_type: worker
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: "<dashboard-node-ip>"
You can edit the configuration file and replace the nodes names and IP addresses with your respective names and IP/hostnames based on your architecture.
Since we are running a single node cluster of Wazuh SIEM server, this how our final config.yml looks like
cat config.ymlnodes:
# Wazuh indexer nodes
indexer:
- name: indexer
ip: "192.168.122.195"
# Wazuh server nodes
server:
- name: wazuh-server
ip: "192.168.122.195"
# Wazuh dashboard nodes
dashboard:
- name: dashboard
ip: "192.168.122.195"Save the updated configuration file and proceed to generate the SSL/TLS certificates for Wazuh components using the wazuh-certs-tool.sh script.
Make the script executable:
chmod +x ./wazuh-certs-tool.shYou can see the usage of the script:
./wazuh-certs-tool.sh -h
NAME
wazuh-cert-tool.sh - Manages the creation of certificates of the Wazuh components.
SYNOPSIS
wazuh-cert-tool.sh [OPTIONS]
DESCRIPTION
-a, --admin-certificates
Creates the admin certificates, add root-ca.pem and root-ca.key.
-A, --all
Creates certificates specified in config.yml and admin certificates. Add a root-ca.pem and root-ca.key or leave it empty so a new one will be created.
-ca, --root-ca-certificates
Creates the root-ca certificates.
-v, --verbose
Enables verbose mode.
-wd, --wazuh-dashboard-certificates
Creates the Wazuh dashboard certificates, add root-ca.pem and root-ca.key.
-wi, --wazuh-indexer-certificates
Creates the Wazuh indexer certificates, add root-ca.pem and root-ca.key.
-ws, --wazuh-server-certificates
Creates the Wazuh server certificates, add root-ca.pem and root-ca.key.
-tmp, --cert_tmp_path
Modifies the default tmp directory (/tmp/wazuh-ceritificates) to the specified one.
Must be used along with one of these options: -a, -A, -ca, -wi, -wd, -wsSo, to generate the certificates for all the components defined in the config.yml file, run the script with option -A/–all.
./wazuh-certs-tool.sh -ASample output;
26/09/2025 11:35:34 INFO: Verbose logging redirected to /root/wazuh-certificates-tool.log
26/09/2025 11:35:34 INFO: Generating the root certificate.
26/09/2025 11:35:34 INFO: Generating Admin certificates.
26/09/2025 11:35:34 INFO: Admin certificates created.
26/09/2025 11:35:34 INFO: Generating Wazuh indexer certificates.
26/09/2025 11:35:34 INFO: Wazuh indexer certificates created.
26/09/2025 11:35:34 INFO: Generating Filebeat certificates.
26/09/2025 11:35:34 INFO: Wazuh Filebeat certificates created.
26/09/2025 11:35:34 INFO: Generating Wazuh dashboard certificates.
26/09/2025 11:35:34 INFO: Wazuh dashboard certificates created.
The generated certs are placed under wazuh-certificates directory created in the current working directory.
ls -1 wazuh-certificatesadmin-key.pem
admin.pem
dashboard-key.pem
dashboard.pem
indexer-key.pem
indexer.pem
root-ca.key
root-ca.pem
wazuh-server-key.pem
wazuh-server.pem
Install Wazuh SIEM Server on RHEL 9/RHEL 10
You can now begin setting up the Wazuh SIEM stack. Since we’re deploying a single-node setup, all components: Indexer, Manager, Dashboard, and Filebeat, will be installed and configured on the same server.
Let’s walk through each component step by step.
Install Wazuh Indexer on RHEL 9/RHEL 10
Next, install Wazuh indexer component:
dnf install wazuh-indexerSample installation output;
Updating Subscription Management repositories.
EL-10 - Wazuh 1.0 MB/s | 108 kB 00:00
Red Hat Enterprise Linux 10 for x86_64 - AppStream (RPMs) 87 kB/s | 4.1 kB 00:00
Red Hat Enterprise Linux 10 for x86_64 - BaseOS (RPMs) 87 kB/s | 4.1 kB 00:00
Dependencies resolved.
==============================================================================================================================================================================================================
Package Architecture Version Repository Size
==============================================================================================================================================================================================================
Installing:
wazuh-indexer x86_64 4.13.1-1 wazuh 817 M
Transaction Summary
==============================================================================================================================================================================================================
Install 1 Package
Total download size: 817 M
Installed size: 1.0 G
Is this ok [y/N]: y
Downloading Packages:
wazuh-indexer-4.13.1-1.x86_64.rpm 82 MB/s | 817 MB 00:09
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 82 MB/s | 817 MB 00:09
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: wazuh-indexer-4.13.1-1.x86_64 1/1
Installing : wazuh-indexer-4.13.1-1.x86_64 1/1
Running scriptlet: wazuh-indexer-4.13.1-1.x86_64 1/1
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable wazuh-indexer.service
### You can start the wazuh-indexer service by executing
sudo systemctl start wazuh-indexer.service
Installed products updated.
Installed:
wazuh-indexer-4.13.1-1.x86_64
Complete!Configure Wazuh Indexer on RHEL 9/RHEL 10
Since we are running a single node Wazuh, there are only a few things we will update on the Wazuh indexer configuration.
The default Wazuh indexer configuration is /etc/wazuh-indexer/opensearch.yml.
This is how it looks like by default;
cat /etc/wazuh-indexer/opensearch.ymlnetwork.host: "0.0.0.0"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
#- "node-2"
#- "node-3"
cluster.name: "wazuh-cluster"
#discovery.seed_hosts:
# - "node-1-ip"
# - "node-2-ip"
# - "node-3-ip"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: trueAs already mentioned, for a single node, there are only a few changes we will make here:
- network.host: We will leave default setting to allow Wazuh indexer to listen on all interfaces for both HTTP and Transport (if we had a cluster) connections.
- node.name: Set to the name of the indexer as defined config.yml used in generating the SSL/TLS certs.
- cluster.initial_master_nodes: This is used during the initial setup of a cluster to identify the master-eligible nodes. It is more relevant when running a multi-node cluster. The value of this setting must exactly match the node.name value(s) based on your cluster architecture.
- cluster.name: defines cluster name. You can leave default or define your own.
- plugins.security.nodes_dn: This setting is used to specify the Distinguished Names (DN) of the nodes that are allowed to join the cluster. You can obtain the value using openssl command;
You can get DN using the command below;
openssl x509 -noout -subject -in wazuh-certificates/indexer.pemsubject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = indexerThis is how our updated Wazuh indexer configuration looks like;
cat /etc/wazuh-indexer/opensearch.ymlnetwork.host: "0.0.0.0"
node.name: "indexer"
cluster.initial_master_nodes:
- "indexer"
cluster.name: "wazuh-cluster"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
compatibility.override_main_response_version: true
Next, copy the generated SSL/TLS certs for Wazuh indexer as well as the Admin certs/key to certs directory as defined in the /etc/wazuh-indexer/opensearch.yml configuration file.
See;
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
Thus, create the directory and copy certs;
mkdir /etc/wazuh-indexer/certs/cp wazuh-certificates/{root-ca.pem,indexer.pem,indexer-key.pem,admin.pem,admin-key.pem} /etc/wazuh-indexer/certs/Should now look like;
ls -1 /etc/wazuh-indexer/certs/*/etc/wazuh-indexer/certs/admin-key.pem
/etc/wazuh-indexer/certs/admin.pem
/etc/wazuh-indexer/certs/indexer-key.pem
/etc/wazuh-indexer/certs/indexer.pem
/etc/wazuh-indexer/certs/root-ca.pem
Update the permissions and set the ownership of the SSL/TLS certs to wazuh-indexer;
chmod 500 /etc/wazuh-indexer/certschmod 400 /etc/wazuh-indexer/certs/*chown -R wazuh-indexer: /etc/wazuh-indexer/certsStart and Initialize Wazuh Indexer Cluster
You can now start and enable Wazuh indexer to run on system boot. Ensure there is no service listening in port 9200/tcp.
systemctl enable --now wazuh-indexersystemctl status wazuh-indexer● wazuh-indexer.service - wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled)
Active: active (running) since Fri 2025-09-26 11:56:15 EDT; 3s ago
Invocation: a8859b84b28a42aa8b988087843afc60
Docs: https://documentation.wazuh.com
Main PID: 4199 (java)
Tasks: 68 (limit: 48912)
Memory: 1.3G (peak: 1.3G)
CPU: 29.398s
CGroup: /system.slice/wazuh-indexer.service
└─4199 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headl>
Sep 26 11:56:06 rhel10-wazuh systemd-entrypoint[4199]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.2.jar)
Sep 26 11:56:06 rhel10-wazuh systemd-entrypoint[4199]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Sep 26 11:56:06 rhel10-wazuh systemd-entrypoint[4199]: WARNING: System::setSecurityManager will be removed in a future release
Sep 26 11:56:06 rhel10-wazuh systemd-entrypoint[4199]: Sep 26, 2025 11:56:06 AM sun.util.locale.provider.LocaleProviderAdapter
Sep 26 11:56:06 rhel10-wazuh systemd-entrypoint[4199]: WARNING: COMPAT locale provider will be removed in a future release
Sep 26 11:56:07 rhel10-wazuh systemd-entrypoint[4199]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 26 11:56:07 rhel10-wazuh systemd-entrypoint[4199]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.2.jar)
Sep 26 11:56:07 rhel10-wazuh systemd-entrypoint[4199]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Sep 26 11:56:07 rhel10-wazuh systemd-entrypoint[4199]: WARNING: System::setSecurityManager will be removed in a future release
Sep 26 11:56:15 rhel10-wazuh systemd[1]: Started wazuh-indexer.service - wazuh-indexer.
Next, execute the “/usr/share/wazuh-indexer/bin/indexer-security-init.sh” script on a Wazuh indexer node to apply the updated certificate information and start the single-node cluster.
/usr/share/wazuh-indexer/bin/indexer-security-init.shSecurity Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.19.2
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml
SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml
SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"]) due to: null
Done with success
The Wazuh indexer (opensearch) should now be running. Confirm the ports;
ss -atlnp | grep -E "92|93"Or;
curl -k -XGET https://localhost:9200 -u adminWhen prompted for password, default is admin.
Enter host password for user 'admin':
{
"name" : "indexer",
"cluster_name" : "wazuh-cluster",
"cluster_uuid" : "EAvu55xjRh24I0FdXLtaIQ",
"version" : {
"number" : "7.10.2",
"build_type" : "rpm",
"build_hash" : "63bef474b662d18fef0c73e0bd7660a8c5024121",
"build_date" : "2025-09-23T11:09:10.698387729Z",
"build_snapshot" : false,
"lucene_version" : "9.12.1",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Install Wazuh Server/Manager on RHEL 9/RHEL 10
Since you already have the Wazuh repository installed, simply execute the command below to install Wazuh server on RHEL 9/RHEL 10.
dnf install wazuh-managerOnce the installation is complete, you can start and enable Wazuh-manager to run on system boot;
systemctl enable --now wazuh-managerOpen Wazuh Manager Port on Firewall. Usually, the Wazuh agents are set to communicate with Wazuh manager via TCP port 1514 by default.
ss -alnptu | grep -i wazuhtcp LISTEN 0 128 0.0.0.0:1514 0.0.0.0:* users:(("wazuh-remoted",pid=49410,fd=4))
tcp LISTEN 0 128 0.0.0.0:1515 0.0.0.0:* users:(("wazuh-authd",pid=49236,fd=3))
Thus, open port 1514/tcp on Wazuh manager.
firewall-cmd --add-port=1514/tcp --permanentfirewall-cmd --reloadAlso, allow port 1515/tcp for agent registration;
firewall-cmd --add-port=1515/tcp --permanentfirewall-cmd --reloadRead more on required ports.
Install and Configure Filebeat for Wazuh Manager
Filebeat is required to be installed on the Wazuh manager server so as to ship processed logs and event data to the Wazuh indexer, where they are indexed and stored for efficient searching and analysis.
As of this writing, Wazuh indexer v4.13.1 is compatible with Filebeat-OSS 7.10.2, which is provided by the Wazuh repository.
dnf provides filebeatUpdating Subscription Management repositories.
EL-10 - Wazuh 64 MB/s | 39 MB 00:00
Red Hat Enterprise Linux 10 for x86_64 - AppStream (RPMs) 74 MB/s | 16 MB 00:00
Red Hat Enterprise Linux 10 for x86_64 - BaseOS (RPMs) 108 MB/s | 25 MB 00:00
filebeat-7.9.1-1.x86_64 : Filebeat sends log files to Logstash or directly to Elasticsearch.
Repo : wazuh
Matched from:
Provide : filebeat = 7.9.1-1
filebeat-7.10.0-1.x86_64 : Filebeat sends log files to Logstash or directly to Elasticsearch.
Repo : wazuh
Matched from:
Provide : filebeat = 7.10.0-1
filebeat-7.10.2-1.x86_64 : Filebeat sends log files to Logstash or directly to Elasticsearch.
Repo : wazuh
Matched from:
Provide : filebeat = 7.10.2-1
filebeat-7.10.2-1.x86_64 : Filebeat sends log files to Logstash or directly to Elasticsearch.
Repo : wazuh
Matched from:
Provide : filebeat = 7.10.2-1
Thus, install Filebeat using the command below;
dnf install filebeatOnce the installation is done, make a backup of the default configuration file
mv /etc/filebeat/filebeat.yml{,.stock}Then run the command below to create new Filebeat configuration file with the following configs.
Make the relevant updates before updating.
Note, IP address used on the hosts setting should match the one defined while generating ssl certs.
cat > /etc/filebeat/filebeat.yml << 'EOF'
output.elasticsearch:
hosts: ["192.168.122.195:9200"]
protocol: https
username: admin
password: admin
ssl.certificate_authorities: "/etc/filebeat/certs/root-ca.pem"
ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
EOFIf you want, you can use Filebeat keystore to store the credentials in variables rather than plain text as in above configuration.
To store credentials in keystore, create the keystore;
filebeat keystore createThe store the username and password in keystore using variables;
Both of the commands will prompt you to type the values of each variable.
filebeat keystore add USERNAMEfilebeat keystore add PASSYou can then update the credentials on filebeat.yml by changing;
username: admin
password: admin
to;
username: ${USERNAME}
password: ${PASS}
Next, install root CA Wazuh server certificates generated before to be used by Filebeat;
mkdir /etc/filebeat/certs/Copy the Wazuh server node certificates (cert files are named as per the Wazuh node name provided in certs config.yml) and rename them as defined in the filebeat.yml;
cp wazuh-certificates/root-ca.pem /etc/filebeat/certs/root-ca.pemcp wazuh-certificates/wazuh-server.pem /etc/filebeat/certs/filebeat.pemcp wazuh-certificates/wazuh-server-key.pem /etc/filebeat/certs/filebeat-key.pemInstall Filebeat Wazuh Module:
wget -qO- https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz \
| tar -xz -C /usr/share/filebeat/module/Download and install Wazuh alerts Wazuh indexer template from the Github repo current release branch (v4.7.2 as of this writing):
wget -O /etc/filebeat/wazuh-template.json \
https://raw.githubusercontent.com/wazuh/wazuh/v4.13.1/extensions/elasticsearch/7.x/wazuh-template.jsonchmod go+r /etc/filebeat/wazuh-template.jsonTest Filebeat config;
filebeat test configConfig OKTest Filebeat Elasticsearch output;
filebeat test outputelasticsearch: https://192.168.122.195:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.122.195
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Start and enable Filebeat to run on system boot;
systemctl enable --now filebeatCheck status;
systemctl status filebeatEverything is now set for the single node Wazuh SIEM server cluster.
Install Wazuh Dashboard on RHEL 9/RHEL 10
Now that the Wazuh Indexer and Manager are installed, continue by setting up the Dashboard for a centralized UI.
Since you already have Wazuh repository installed, just execute the command below to install Wazuh dashboard.
dnf install wazuh-dashboardConfigure Wazuh dashboard to allow external access and to connect it to Wazuh indexer.
The default configuration file for Wazuh dashboard is /etc/wazuh-dashboard/opensearch_dashboards.yml.
vim /etc/wazuh-dashboard/opensearch_dashboards.ymlWe will only update the Wazuh indexer address;
server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://192.168.122.195:9200
opensearch.ssl.verificationMode: certificate
#opensearch.username:
#opensearch.password:
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuhSave and exit the file.
Install the Wazuh dashboard certificates. The names of the cert files matches the name you gave to the dashboard in the config.yml.
mkdir /etc/wazuh-dashboard/certs/cp wazuh-certificates/dashboard.pem /etc/wazuh-dashboard/certs/dashboard.pemcp wazuh-certificates/dashboard-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pemcp wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/Update the permissions and set the ownership of the SSL/TLS certs to wazuh-indexer;
chmod 500 /etc/wazuh-dashboard/certschmod 400 /etc/wazuh-dashboard/certs/*chown -R wazuh-dashboard: /etc/wazuh-dashboard/certsStart and enable Wazuh dashboard to run on system boot;
systemctl enable --now wazuh-dashboardChecking the status of each service;
systemctl status wazuh-dashboard● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled)
Active: active (running) since Fri 2025-09-26 12:45:47 EDT; 36s ago
Invocation: bcae8fb499d94a138a6326c93765b259
Main PID: 9633 (node)
Tasks: 11 (limit: 48912)
Memory: 168.7M (peak: 282.6M)
CPU: 6.026s
CGroup: /system.slice/wazuh-dashboard.service
└─9633 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["info","plugins","wazuh","initialize"],"pid":9633,"message":"App revision: 01"}
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["info","plugins","wazuh","initialize"],"pid":9633,"message":"Total RAM: 7679MB"}
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["error","opensearch","data"],"pid":9633,"message":"[ResponseError]: Response Error"}
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["error","opensearch","data"],"pid":9633,"message":"[ResponseError]: Response Error"}
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["listening","info"],"pid":9633,"message":"Server running at https://0.0.0.0:443"}
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["info","http","server","OpenSearchDashboards"],"pid":9633,"message":"http server running >
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["info","plugins","wazuh","cron-scheduler"],"pid":9633,"message":"Updated the wazuh-statis>
Sep 26 12:45:51 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:51Z","tags":["info","plugins","wazuh","monitoring"],"pid":9633,"message":"Updated the wazuh-agent temp>
Sep 26 12:45:52 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:52Z","tags":["info","plugins","wazuh","monitoring"],"pid":9633,"message":"wazuh-monitoring-2025.39w in>
Sep 26 12:45:52 rhel10-wazuh opensearch-dashboards[9633]: {"type":"log","@timestamp":"2025-09-26T16:45:52Z","tags":["info","plugins","wazuh","monitoring"],"pid":9633,"message":"Settings added to wazuh-moni>
And you are pretty much done.
Accessing Wazuh Dashboard Web Interface
Open the Wazuh dashboard on the Firewall;
firewall-cmd --add-port=443/tcp --permanentYou can now access Wazuh dashboard via the url https://<server-IP-or-hostname>.
Accept the self-signed SSL cert warning and proceed to Wazuh dashboard.
The default credentials are admin/admin for user and password.
You land on Wazuh Overview dashboard if all components are operating fine.
No agents are connected by default. However, there should be some default events already collected from the Wazuh manager.
For example head over to Threat Intelligence (Threat hunting dashboard). You can access the same from the default overview dashboard as shown above or access it form the Wazuh left menu panel;
Click on the Events to view related events.
Explore Wazuh further!
And that is it! You have successfully setup Wazuh SIEM server, integrated with Wazuh indexer and Wazuh dashboard.
That closes our guide on installing Wazuh SIEM server on RHEL 9/RHEL 10.
You can now go ahead and install Wazuh agents and start log collection from your end points.
