The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.
The Wazuh server analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for threat hunting, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.
As mentioned, depending on the amount of data you will receive and the number of agents, you can install only one Wazuh Manager single node (Master/Worker), or you can install a Wazuh Server in cluster mode, which will allow you to manage a large number of Wazuh agents more efficiently and ensure high availability.
There are two types of nodes in the Wazuh server cluster, the master-node and the worker-node, please click here to read the wazuh doc.
The Wazuh server cluster is managed by the wazuh-clusterd daemon which communicates with all the nodes following a master-worker architecture. Refer to the how-the-wazuh-server-cluster-works for more information.
Wazuh Ref Documents:
https://documentation.wazuh.com/current/getting-started/architecture.html
https://documentation.wazuh.com/current/getting-started/components/index.html
https://documentation.wazuh.com/current/user-manual/manager/wazuh-server-cluster.html
Regards,