Wazuh Central Dashboard Setup

181 views
Skip to first unread message

Aly Aboulazm

unread,
Jul 29, 2025, 4:51:53 AM7/29/25
to Wazuh | Mailing List
Hi team, I wanted to ask about the necessary steps I need to take to link all alerts that are generated from 9 Wazuh servers that I currently have that contain the Manager, Dashboard, and Indexer to another server that would act as the Central Dashboard that shows all the alerts that are generated from the other Wazuh servers. Keeping in mind that I want the other servers to still show the alerts that they send to the central dashboard in their respective dashboards and store them as usual. I Would really appreciate your help with this matter.

Md. Nazmur Sakib

unread,
Jul 29, 2025, 5:17:47 AM7/29/25
to Wazuh | Mailing List
Hi Aly Aboulazm,

You can have an architecture like this. Where you will have a single Dashboard for all the sites. A CCS indexer on the dashboard server will act as a medium to access and query security data from remote Wazuh indexers on different sites.


Now you can make a role-based access user on the Dashboard and limit the access to the data.


Check this document to get help with the configuration.
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/

I haven't configured architecture with multiple dashboards. This needs further testing. Please allow me some time to build a test environment to simulate the architecture and share the findings with you.

Aly Aboulazm

unread,
Jul 29, 2025, 5:26:45 AM7/29/25
to Wazuh | Mailing List
Okay thank you, and I will look into the documentation you provided.

Md. Nazmur Sakib

unread,
Jul 30, 2025, 4:29:22 AM7/30/25
to Wazuh | Mailing List

Yes, it is possible to query all the data to a centralized dashboard. I have tested this in my lab, and it is working without any issues.

For testing, I have used a Wazuh server deployment (Wazuh indexer, Wazuh Manager, Wazuh dashboard).

Next, I have configured a Wazuh CCS indexer and dashboard on another server.


Ref: https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/



After that, I have configured a new set of certificates for the Wazuh server based on the pre-existing root certificates that I generated for CCS.

Ref: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/certificates.html

On the Wazuh deployment, you will need to add an extra line in the /etc/wazuh-indexer/opensearch.yml
Under plugins.security.nodes_dn:, similar to the line colored in red. CN= will be your CCS cluster node name.

plugins.security.nodes_dn:

- "CN=ca-wazuh-indexer-1,OU=Wazuh,O=Wazuh,L=California,C=US"

- "CN=ccs-wazuh-indexer-1,OU=Wazuh,O=Wazuh,L=California,C=US"


Select ☰ >  Indexer management > DevTools and run the following API call to connect the CCS environment to the remote Wazuh clusters on port 9300:


Note: Add the Wazuh indexer node name for clusters A and B to the "cluster.remote" section and their corresponding IP addresses to the "seeds" section.


PUT _cluster/settings 

{

  "persistent": {

    "cluster.remote": {

      "ca-wazuh-indexer-1": {

        "seeds": ["192.168.10.101:9300"]

      },

      "cb-wazuh-indexer-1": {

        "seeds": ["192.168.20.101:9300"]

      }

    }

  }

}

Ref: https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/

I suggest you test this in a test environment to understand the configuration properly before applying it in production.


If you need further clarification with the setup, let me know. I will try to make a step-by-step configuration PDF document for you on this.
Reply all
Reply to author
Forward
0 new messages