# Wazuh Indexer Installation

> Note : You need root user privileges to run all the commands described below.

The installation process is divided into three stages.

1. Certificates creation
2. Nodes installation
3. Cluster initialization

We are going to install the wazuh v4.10 in the single Ubuntu sever instance so the installation covers the installation based on ubuntu or debian systems. To any other distributions we can follow. 

{% hint style="info" %}
<https://documentation.wazuh.com/4.10/installation-guide/wazuh-indexer/step-by-step.html>
{% endhint %}

***

## Certificates Creation&#x20;

Download the `wazuh-certs-tool.sh` script and the `config.yml` configuration file. This creates the certificates that encrypt communications between the Wazuh central components.

```bash
curl -sO https://packages.wazuh.com/4.10/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.10/config.yml
```

Now edit the config file to create the certificates needed for the deployment&#x20;

```bash
sudo nano config.yml
```

Now we will rename the components name and enter the IP Address of the components to initialize the deployment.

```bash
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: indexer-node-1 <--CHANGE THIS -->
      ip: "192.168.146.157"<--CHANGE THIS -->
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: server-node-1 <--CHANGE THIS -->
      ip: "192.168.146.157"<--CHANGE THIS -->
    #  node_type: master  
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker  
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker  

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard-node-1 <--CHANGE THIS -->
      ip: "192.168.146.157" <--CHANGE THIS -->

```

The lines with `<--CHANGE THIS-->`  are lines that wil change during each deployment

Run `./wazuh-certs-tool.sh` to create the certificates. For a multi-node cluster, these certificates need to be later deployed to all Wazuh instances in your cluster.

```bash
bash ./wazuh-certs-tool.sh -A
```

The output should look like :&#x20;

{% code overflow="wrap" %}

```bash
01/03/2025 05:36:05 INFO: Verbose logging redirected to /home/wazuh/wazuh-certificates-tool.log
01/03/2025 05:36:05 INFO: Generating the root certificate.
01/03/2025 05:36:05 INFO: Generating Admin certificates.
01/03/2025 05:36:05 INFO: Admin certificates created.
01/03/2025 05:36:05 INFO: Generating Wazuh indexer certificates.
01/03/2025 05:36:06 INFO: Wazuh indexer certificates created.
01/03/2025 05:36:06 INFO: Generating Filebeat certificates.
01/03/2025 05:36:06 INFO: Wazuh Filebeat certificates created.
01/03/2025 05:36:06 INFO: Generating Wazuh dashboard certificates.
01/03/2025 05:36:06 INFO: Wazuh dashboard certificates created.
```

{% endcode %}

Now we will see that the certificates folder is created in the current directory & Now Compress all the necessary files.

```bash
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
```

Copy the `wazuh-certificates.tar` file to all the nodes, including the Wazuh indexer, Wazuh server, and Wazuh dashboard nodes. This can be done by using the `scp` utility. In case all the components of wazuh are distributed over different instances

***

## Nodes Installation&#x20;

We will install the necessary dependencies and the repositories to install the wazuh indexer on the ubuntu instance.

```bash
apt-get install debconf adduser procps
apt-get install gnupg apt-transport-https
```

Installing the GPG keys and adding the repository

```bash
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt-get update
```

Now we will install the wazuh indexer node using&#x20;

```bash
apt-get -y install wazuh-indexer=4.10.1-1
```

Configuring the  Wazuh Indexer node&#x20;

```bash
sudo nano /etc/wazuh-indexer/opensearch.yml
```

We will make some changes in the config file which are as follows :&#x20;

1. `network.host`: Sets the address of this node for both HTTP and transport traffic. The node will bind to this address and use it as its publish address. Accepts an IP address or a hostname.

   Use the same node address set in `config.yml` to create the SSL certificates.
2. `node.name`: Name of the Wazuh indexer node as defined in the `config.yml` file. For example, `node-1`.
3. `cluster.initial_master_nodes`: List of the names of the master-eligible nodes. These names are defined in the `config.yml` file. Uncomment the `node-2` and `node-3` lines, change the names, or add more lines, according to your `config.yml` definitions.

   ```
   cluster.initial_master_nodes:
   - "node-1"
   - "node-2"
   - "node-3"
   ```
4. `discovery.seed_hosts:` List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. You may leave this setting commented if you are configuring the Wazuh indexer as a single node. For multi-node configurations, uncomment this setting and set the IP addresses of each master-eligible node.

   > ```
   > discovery.seed_hosts:
   >   - "10.0.0.1"
   >   - "10.0.0.2"
   >   - "10.0.0.3"
   > ```
5. `plugins.security.nodes_dn`: List of the Distinguished Names of the certificates of all the Wazuh indexer cluster nodes. Uncomment the lines for `node-2` and `node-3` and change the common names (CN) and values according to your settings and your `config.yml` definitions.

   ```
   plugins.security.nodes_dn:
   - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
   - "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
   - "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
   ```

<figure><img src="https://2332860236-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fq6mjlFfyDOi3mV0lemKE%2Fuploads%2FHJ3gRbHWBlpffBXiiRaw%2Fimage.png?alt=media&#x26;token=a0d4aeef-fd3c-45e5-b784-4672742bf8b7" alt=""><figcaption></figcaption></figure>

Making the changes in the config file now we will move into certificates deployment section&#x20;

Run the following commands replacing `<INDEXER_NODE_NAME>` with the name of the Wazuh indexer node you are configuring as defined in `config.yml`. For example, `node-1`. This deploys the SSL certificates to encrypt communications between the Wazuh central components.

```bash
NODE_NAME=<INDEXER_NODE_NAME>
# NODE_NAME=indexer-node-1
```

{% code overflow="wrap" %}

```bash
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
```

{% endcode %}

Starting the services and if every config is right then the service might start successfully.

```bash
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer
```

It is recommended to stop wazuh upgrades during updates to ensure all the components are running same versions across the systems.

```bash
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
```

***

## Cluster Initialization&#x20;

Run the Wazuh indexer `indexer-security-init.sh` script on *any* Wazuh indexer node to load the new certificates information and start the single-node or multi-node cluster.

```
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
```

The output should look like :&#x20;

<figure><img src="https://2332860236-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fq6mjlFfyDOi3mV0lemKE%2Fuploads%2FiXV9JnliL4SZOZCOA8z4%2Fimage.png?alt=media&#x26;token=59ae003f-b901-4f90-9875-d382b7e88a59" alt=""><figcaption></figcaption></figure>

#### Testing the cluster :&#x20;

```bash
curl -k -u admin:admin https://<WAZUH_INDEXER_IP_ADRESS>:9200
# curl -k -u admin:admin https://192.168.146.157:9200
```

The output should look like :&#x20;

```bash
{
  "name" : "indexer-node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "Echt18vTSkCOrJ7a22xp3g",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "7149046c7c9c64aa43e437826af0b8b0dcabd730",
    "build_date" : "2025-01-15T11:04:30.997631Z",
    "build_snapshot" : false,
    "lucene_version" : "9.11.1",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

```

Replace `<WAZUH_INDEXER_IP_ADDRESS>` and run the following command to check if the single-node or multi-node cluster is working correctly.

```bash
curl -k -u admin:admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v
# curl -k -u admin:admin https://192.168.146.157:9200/_cat/nodes?v
```

If nothing is displayed as error we have deployed the indexer node successfully now we will move into installation of wazuh server.