Seeking Reporting Solutions for Wazuh (Export, PDF, Pagination, Dashboards)

[Ankit Tyagi]

Hi Everyone,

Hope you’re doing well.

We are currently working with Wazuh 

---

What We Are Trying to Achieve

We are now exploring options for building a comprehensive reporting solution, specifically:

• Generate custom reports across different data types (alerts, inventory, vulnerabilities, FIM)
• Download full reports (not just visible rows)
• Export reports in:
  • PDF (formatted)
  • PNG (dashboard snapshot)
  • CSV/Excel
• Handle large datasets with pagination
• Ability to export the entire dataset across multiple pages
• Option for scheduled reports (email delivery)

Current Challenges

• Wazuh dashboard seems limited for advanced reporting/export
• Difficult to export complete datasets with pagination
  

Questions

1. Has anyone implemented a reporting layer on top of Wazuh?
2. Are there any tools/plugins/integrations you recommend?
3. Have you achieved:
   • Full dataset export?
   • Paginated reporting?
   • PDF/PNG report generation?
4. Are you using:
   • OpenSearch Dashboards?
   • Kibana reporting?
   • Custom scripts / APIs?
   • External tools (e.g., Power BI, Grafana, Splunk)?

---

What We Are Considering

• Using Splunk as the reporting layer
• Building custom reporting APIs
• Using OpenSearch/Kibana reporting features

---

Goal

We are trying to build an enterprise-level reporting solution where:

Wazuh → Data → Flexible Reports → Export (PDF/PNG/CSV) → Scheduled Delivery

---

Would Appreciate Inputs On

• Best practices
• Existing implementations
• Avoiding rework if a solution already exists
• Any roadmap from Wazuh side (if known)

---

Thanks in advance for your help!

[Lucas Santiago Viñals]

Hi Ankit,

- Has anyone built a reporting layer on top of Wazuh? — The two patterns are:
- The built-in/indexer reporting plugin for formatted PDF/PNG/CSV with scheduling
- Custom export layer hitting the indexer + server APIs for full datasets.
- Full dataset export? — Yes, via the indexer _search API with PIT/search_after (alerts, vulns) and the server REST API (inventory). Not reliably via the dashboard CSV export since the UI is meant for small queries to render.
- Paginated reporting? — Yes, same APIs.
- PDF/PNG generation? — Yes, built in (module reports + the reporting plugin: PDF and PNG).
- Scheduled / email reports? — Scheduling: yes (reporting plugin https://docs.opensearch.org/2.19/reporting/rep-cli-index, cron). Email delivery: depends on your version — verify it's available before committing to it.

On the tools you're considering

- OpenSearch Dashboards reporting — already what you have; lean on the wazuh-indexer-reporting plugin first. Lowest effort, no extra infrastructure.
- Custom reporting APIs — the most flexible and, in my experience, the right answer specifically for full dataset export with pagination. Build it on the indexer API (PIT/search_after) + Wazuh server REST API.
- Grafana — very popular pairing. Point a Grafana OpenSearch data source at the Wazuh indexer; Grafana Enterprise gives you scheduled PDF reports and good dashboards. Good middle ground if you want polished, scheduled reporting without writing much code.
- Splunk — viable (Wazuh can forward alert data to Splunk) and Splunk's reporting is strong, but it's a heavy, costly layer to add purely for reporting. Only worth it if you're already standardizing on Splunk for other reasons.
- Power BI — can connect to the indexer (OpenSearch SQL/ODBC or REST) if your org is already a Power BI shop.

My suggestion: start with the built-in/indexer reporting plugin for formatted/scheduled PDF/PNG/CSV, and add a thin custom export layer on the indexer + server APIs for the guaranteed full-dataset/paginated exports. That covers your whole list without taking on Splunk's cost/complexity. If you want richer visuals and scheduled delivery with minimal coding, Grafana on top of the indexer is the strongest "external tool" option.

Hope this clarifies your questions.

Best regards,

Lucas