Next steps after Wazuh installation and agent onboarding

[Robby Hunters]

Hi Wazuh Team,

I’ve successfully installed Wazuh and all of our critical servers are now connected as agents.

At this point, I just wanted to ask what would be the recommended next steps or best practices to follow after the initial setup?

For example:

• Are there any baseline configurations or tuning you usually recommend?

• Should I enable or adjust any specific modules (FIM, Vulnerability Detection, SCA, etc.) at this stage?

• Are there any common checks or validations to make sure the setup is running optimally and securely?

Any guidance, documentation, or pointers would be great.

Thanks in advance for your help,

Best regards,
Robby

[Bony V John]

Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

Based on your questions, please find the recommendations below.

For tuning the Wazuh server to run smoothly, you can follow these steps:

• Configure the Wazuh indexer JVM heap. This helps prevent the Wazuh indexer from running out of memory in the future, especially when executing large queries from the Wazuh dashboard. You can refer to the Wazuh indexer tuning documentation for configuring JVM memory and memory locking.
• If you are running only a single indexer node, you can consider configuring a single primary shard. By default, the Wazuh indexer creates 3 primary shards per index, which can cause the shard limit to be reached quickly. Setting the number of shards to 1 helps avoid hitting the shard limit too fast. You can refer to the Wazuh documentation that explains shard usage and how to configure the shard count.
• You can also configure an ILM (Index Lifecycle Management) policy to automatically delete old indices. This helps prevent the shard limit from being exhausted. By default, a single Wazuh indexer can handle up to 1000 shards. Once this limit is reached, new indices will not be created, and new alerts will stop appearing on the dashboard. Based on your log retention requirements, you can configure ILM policies to delete old wazuh-alerts-* indices automatically. Refer to the Wazuh ILM documentation for configuration details.

Note: After deleting old indices, the deleted alerts will no longer be searchable in the Wazuh dashboard. If you need to retain historical data, you can configure index snapshots and store them on an NFS or backup server. Refer to the Wazuh snapshot documentation for guidance.

• On the Wazuh manager server, alert logs are archived daily. They are compressed and stored under: /var/ossec/logs/alerts/<year>/<month>/ossec-alerts-<date>.json and .log. Over time, these files can consume disk space. To optimize storage usage, you can create a custom script to move these files to another server for backup or delete them based on your retention policy.

Regarding your second question:

• By default, FIM, SCA, and Vulnerability Detection are enabled on Wazuh agents. You can further tune the FIM module to monitor additional directories based on your requirements, such as download directories or sensitive paths. This allows real-time monitoring and alerting when files or directories are modified, added or deleted.
• For Vulnerability Detection, no additional configuration is required in most cases. Wazuh automatically detects vulnerabilities on endpoints and displays them in the Vulnerability Inventory section of the dashboard.
• For SCA, Wazuh provides default SCA policies on the agent based on the operating system. In addition to these default policies, you can create custom SCA policies in the future to meet your specific compliance or security requirements. You can refer to the Wazuh documentation for detailed guidance on creating custom SCA policies.

• To optimize alerting, you can also create custom rules tailored to your environment. Refer to the Wazuh rule syntax documentation for creating and tuning custom rules.
• For further system analysis, you can monitor the Statistics dashboard to check event processing and detect any event drops. On the Wazuh dashboard, go to: Hamburger menu (top left) > Server Management > Statistics > Analysis Engine 

            Monitor these graphs to ensure events are being processed correctly and that no event dropping is occurring.

Please let us know if you need help with any of these steps.

[Robby Hunters]

Hi Bony,

Thank you very much for the detailed recommendations.

Actually, we have already implemented all of the points you mentioned, including:

• Indexer JVM heap tuning and memory locking,

• Shard optimization (using a single primary shard),

• ILM policies for old index deletion,

• Snapshot and retention handling,

• Agent modules (FIM, Vulnerability Detection, and SCA) tuning,

• Custom rules and monitoring through the Statistics dashboard.

Everything is currently running stable on our side.

May I ask if there are any additional best practices or optimizations that you would recommend beyond what you have shared, especially for production environments with a moderate but growing number of agents?

Additionally, I would like to clarify one thing regarding updates:

If Wazuh publishes official updates to detection rules and SCA policies on GitHub, will my Wazuh environment automatically receive those updates for rules and SCA only, without upgrading the Wazuh manager itself?
Or do these updates still require a manual process or a full Wazuh version upgrade?

Thank you in advance for your time and support.

Best regards,
Robby

[Bony V John]

Hi,

Apologies for the late response. Since you mentioned that the number of agents may grow in the future, your Wazuh servers may consume more CPU, RAM, and disk over time. To avoid running out of resources, I recommend monitoring server resource usage proactively.

You can monitor resource usage using Wazuh itself:

• All-in-one deployment: Configure the Wazuh manager to enable server resource monitoring. Then create alerts when usage crosses a threshold (for example, 80%).

• Distributed deployment: Need to install the Wazuh agent on the Indexer and Dashboard servers, so you can monitor resource usage on each node.

You can refer to the Wazuh Linux resource monitoring documentation for step-by-step guidance.

You can also configure notifications (email/Slack/etc.) so you get alerts when resource usage crosses the threshold. Refer to the Wazuh email alert documentation.

Regarding your second question: Wazuh does not automatically pull new rules and SCA policies from the repository unless you upgrade. New rules/policies typically come with the Wazuh version update. If you want the latest rules/policies, you should upgrade your deployment. 

You can refer to the Wazuh upgrade documentation for detailed step-by-step guidance.