Wazuh Multi Tenancy inquiry
Max
I wanted to ask if it's possible to achieve a use case where:
There are 2 users (user1 and user2)
Each one has their own dashboards and can only see their own data & dashboard and cannot see the others. (I.e. user1 is to user1 only, etc.)
Would using multi-tenancy and separate index work for this context? and how scalable would this method be?
Since I would be adding in multiple users in the future and have their own data associated with these users only.
Also, for more context:
Doing this on Azure and possibly adding in SSO in the mix as well.
Max
additional context is doing these via Kubernetes Clusters
Ayooluwa Paul Akindeko
1. There is a documented approach in the wazuh documentation where you can Give a user permissions to read and manage a group of agents.
- Label agents by group using agent.labels.group in agent.conf (e.g., group: Team_A).
- Create an indexer role with document-level security (DLS) that filters on agent.labels.group.
For example, a role for user1 would have a DLS query like {"match": {"agent.labels.group": "Team_A"}}.
This means user1 can only see alerts/events from agents labeled Team_A, even though the underlying index contains everything.
- Create a server API policy scoped to agent:group:Team_A so the user can only manage/view those agents through the API as well.
2. For the dashboard multi-tenancy, this documentation is worth exploring: Enabling Multi-tenancy on Wazuh. Note that Private tenants give each user their own isolated set of dashboards, visualizations, and saved objects out of the box.
3.
Wazuh supports SAML-based SSO, and there is a specific guide for Microsoft Entra ID with Wazuh.
The flow is:
- Configure Entra ID as the SAML Identity Provider.
- Map Entra ID groups to Wazuh backend roles.
- Those backend roles map to the indexer roles (with DLS) and server roles described above.
Max
Thanks for the references!
But from what I understand "Tenants" are contained Dashboards that a User has to check on the list and see if it has access to a "Tenant"
So correct me if I'm wrong:
A User cant go into a "Tenant" it has access to and check that dashboard with agents and data tied to that Tenant?
I'm curious how data is purposefully segregated between Tenants and how to make sure:
Although it's just architecture and nothing truely implemented.
Any advice or help would be great!
Ayooluwa Paul Akindeko
A user in tenant1 and a user in tenant2 are both querying the same underlying wazuh-alerts-* index. The tenant only controls which saved dashboards and visualizations they see, not which alert documents they can access.
Data isolation is entirely the job of DLS on the indexer role.
- Tenants isolate dashboard objects, and does not isolate data. When user1 enters tenant1, they see only tenant1's saved dashboards and visualizations. But the data those dashboards query is controlled separately.
- Data isolation comes from Document-Level Security (DLS). The indexer role assigned to user1 includes a DLS query like {"match": {"agent.labels.group": "Team_A"}}. No matter what tenant they're in or what query they run, they will only ever see documents matching that filter. This is all the documentation you need to understand and setup the DLS in wazuh: Creating and mapping internal users in Wazuh
- These two features combine to give the full picture:
- User1 logs in => enters their assigned tenant (custom or private) => sees only their dashboards → those dashboards query wazuh-alerts-* => DLS on their role filters results to only Team_A data.
- User2 logs in => enters their tenant => sees only their dashboards => DLS filters to only Team_B data.
- Separate indices are not needed. All data stays in the shared wazuh-alerts-* index. DLS handles the filtering without any index splitting, Filebeat reconfiguration, or pipeline customization.
Max
Ayooluwa Paul Akindeko
To answer, I need to clarify what raw text is, and which you might be referring to.
There are two places where log data exists:
1. On the Wazuh server filesystem (plain text files)
The Wazuh server stores logs as files on disk:
- /var/ossec/logs/alerts/alerts.json : triggered alerts
- /var/ossec/logs/archives/archives.json : all events (if archiving is enabled)
These are plain text/JSON files. DLS does not apply here, they're just files on your Linux filesystem. Anyone with SSH access and file permissions on the server can read them unfiltered. But dashboard users (user1, user2) don't have access to these files. These are only accessible to system administrators with shell access to the server.
2. In the Wazuh indexer
The same data gets forwarded to the indexer, where it's stored as indexed JSON documents in wazuh-alerts-*, wazuh-archives-*, etc. This is where DLS applies. When user1 or user2 opens the dashboard and goes to Discover to browse "raw" alert data, they're querying the indexer and not the raw text file. The indexer enforces the DLS filter before returning results.
You should read the Wazuh end to end architecture to see how data is cascaded from agent -> server -> disk -> Filebeat -> indexer -> dashboard.
Max
Thank you for your very detailed response and I seem to have gotten the gist of things now! :)
However, when it comes to say trying to backup these log data, be it the alerts or the raw data themselves into a log sink (Syslog Server, NAS, Etc.)
What are the current approaches thats built into Wazuh?
and my question still stands if the alerts from let's say devices under group User1 and User2 are in one log file.
Assuming all the events go to one indexer and manager.