Changing Wazuh GUI password

[Emar Flix]

Hi, 

I want to change the admin user password used to log in to the Wazuh Dashboard web interface.
The GUI shows: "Resource 'admin' is reserved" and does not allow changing it.

What is the recommended and safe way to update the admin password in a production cluster?

Thank you for attention.

[Md. Nazmur Sakib]

Hi Emar,



To change the admin password that you use for login to the GUI. Run this command on your indexer server

Open a terminal on your Wazuh indexer server and run this command.

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u admin -p Secr3tP4ssw*rd

Replace the Secr3tP4ssw*rd with your password.

The password must have a length between 8 and 64 characters and contain at least one upper case letter, one lower case letter, a number and one of the following symbols: .*+?-.

Ref: Password management
If you use the tool in an all-in-one deployment, it automatically updates the passwords where necessary. If you use it in a distributed environment, you may have to update the password on other components.

For admin users, you just need to update the password in the filebeat and Wazuh manager’s keystore.

Open a terminal on the Wazuh manager keystore and run this command.

echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force

echo '<ADMIN_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Restart Filebeat to apply the changes.

systemctl restart filebeat

See Changing the passwords in a distributed environment for more details.

Let me know if this works for you or if you need any further help with this.

[Md. Nazmur Sakib]

Also, I would like to mention that the indexer admin user's password cannot be changed from the GUI; you need to use the command line on the server.

[Emar Flix]

Thank you for your answer Nazmur. My deployment type is clustered deployment. there is 3 indexer,  1 dashboard and 3 manager server. I shold do this in every components or just one of them. And aslo how can I create new user in this architecture?

Md. Nazmur Sakib yazdı, 2 mart 2026, bazar ertəsi, 11:44:44 UTC+4:

[Md. Nazmur Sakib]

You only need to run this on one of your indexer servers to chnage the password.

bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u admin -p Secr3tP4ssw*rd

But you need to update the password keystore in all of your Wazuh manager nodes.

echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force

echo '<ADMIN_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Restart Filebeat to apply the changes.

systemctl restart filebeat

See Changing the passwords in a distributed environment for more details.

[Emar Flix]

Thank you for your answer, Mr. Nazmur.
You know I have two cluster and between them there is CCR (PR and DR). I did it both of them and they actualy works normal. but to be sure Idelete autofollow rules and stop replication for todays indexes. But now my DR inexer can't get logs form manager. I faced this error:  illegal_state_exception: Expected valid sequence number for replicate op but was unassigned (status=500)

is it related with password changing or anythink else?  

Md. Nazmur Sakib yazdı, 2 mart 2026, bazar ertəsi, 15:35:32 UTC+4:

[Md. Nazmur Sakib]

Run this command on the Wazuh Manager nodes to check if Filebeat can communicate with theDR inexer.


filebeat test output

Filebeat is responsible for forwarding the logs from the manager to the indexer.


If you do not get any error in the previous response. That means the filebeat is able to communicate with the indexer with your new passwords, and the issue is not related to the password.

The log you have refers to a shard (either primary or replica) that is in an unassigned state and cannot be allocated to a node.

This is not related to the password change.