remplace Wazuh-Indexer by Opensearch

47 views
Skip to first unread message

clemba “clemba” b

unread,
Sep 25, 2025, 5:13:53 AM (3 days ago) Sep 25
to Wazuh | Mailing List

Hello team,

Is it possible to replace Wazuh Indexer with OpenSearch and connect the Wazuh server and Wazuh dashboard to this new OpenSearch cluster?

I believe I just need to update the URL in Filebeat on the Wazuh manager and also update the URL in the Wazuh dashboard, as well as add roles and role mappings in OpenSearch.

Please let me know if that’s correct.

Best regards,
Clément.

Cedrick Foko

unread,
Sep 25, 2025, 9:44:29 AM (3 days ago) Sep 25
to Wazuh | Mailing List
Hello,
Yes, it is possible to replace Wazuh indexer by OpenSearch cluster and connect Wazuh manager and dashboard to that cluster.
Wazuh Indexer is built on top of OpenSearch with some added tools specific to Wazuh.
As you said, updating the Filebeat and Wazuh dashboard configuration to point to OpenSearch nodes on correct port will be necessary.
Also, you need to use the OpenSearch version compatible with Wazuh to avoid compatibility issues. For example, Wazuh version 4.10.1 use OpenSearch 2.16.0. This implies that if using an external OpenSearch cluster, the OpenSearch version needs to align closely with the version Wazuh expects.
In addition, you will need to apply the correct Opensearch index template to ensure that Wazuh data is indexed correctly.
Once the deployment is done and the Opensearch cluster is indexing alerts from Wazuh manager, you will need to create the index patterns required by Wazuh dashboard: wazuh-alerts-*, wazuh-monitoring-*, wazuh-statistics-*

clemba “clemba” b

unread,
Sep 25, 2025, 10:15:23 AM (3 days ago) Sep 25
to Wazuh | Mailing List

Hello,
First of all, thank you for your reply.

I still have a few questions:

  • Will the vulnerability module continue to work, and if so, how are the vulnerabilities sent to OpenSearch (also through Filebeat)?

  • Second, where can I find the Wazuh–OpenSearch compatibility information depending on the Wazuh version?

Best regards,
Clément.

Cedrick Foko

unread,
Sep 26, 2025, 12:26:22 PM (2 days ago) Sep 26
to Wazuh | Mailing List
Hello,
Yes the vulnerability detection will continue to work. The vulnerability data will be sent directly from the manager to OpenSearch.
Unfortunately, we don't have information related to OpenSearch compatibility with Wazuh version in our documentation. However, you can find below the list of Wazuh versions with the corresponding OpenSearch version installed:
  • from v4.5 to v4.7: OpenSearch 2.6.0.
  • From v4.8 to v4.9: OpenSearch 2.13.0.
  • From v4.10 to 4.11: Opensearch 2.16.0
  • From v4.12.0:  OpenSearch 2.19.1 (downgrades are not supported).
In addition, you can find details about integration with OpenSearch in our documentation: https://documentation.wazuh.com/current/integrations-guide/opensearch/index.html
Reply all
Reply to author
Forward
0 new messages