learn about indexer and dashboard

[Klein Mee]

Hi,

I want to know more about how does indexer and dashboard work in wazuh. Currently, I know that server sends logs and other info to indexer through filebeat and api, and I want to know detailed work mechanism of the indexer and dashboard. where can I find this part of source code that implement the receiving logs and visualizing them? 

[Stuti Gupta]

Hi, Klein Mee, Hope you are doing well today and thank you using wazuh The Wazuh indexer is a highly scalable, full-text search and analytics engine. It stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. The Wazuh indexer uses the Elasticsearch search engine to store and index data. Elasticsearch is a distributed search and analytics engine that is built on top of Apache Lucene. Elasticsearch is known for its speed, scalability, and ease of use. The manager uses filebeat to collect logs from agents and forward them to the Indexer.https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html

The Wazuh dashboard is a web-based interface that provides a graphical representation of security events and allows users to visualize and use Kibana to visualize the data stored in the indexer. The dashboard is served by a web server (typically Nginx or Apache) that is configured to interact with the Indexer database. The Wazuh dashboard provides a variety of features, including, Real-time monitoring of alerts and events, Historical analysis of data, Customizable dashboards and reports, and Integration with other security tools https://documentation.wazuh.com/current/getting-started/components/wazuh-dashboard.html
Here is a more detailed overview of the work mechanism of the Wazuh indexer and dashboard:https://documentation.wazuh.com/current/getting-started/architecture.html

1. The Wazuh server generates alerts and events based on the security rules that it is configured with.
2. Filebeat collects the alerts and events from the Wazuh server and sends them to the Wazuh indexer over HTTPS.
3. The Wazuh indexer indexes the alerts and events so that they can be searched and analyzed quickly and efficiently.
4. The Wazuh indexer also stores the alerts and events in a persistent store so that they can be recovered in the event of a failure.
5. The Wazuh dashboard queries the Wazuh indexer to retrieve the latest alerts and events.
6. The Wazuh dashboard displays the alerts and events in a variety of visualizations, such as charts, graphs, and tables.
7. Users can interact with the visualizations to filter and sort the data, and to drill down into specific events.

You can find the source code that implements the receiving of logs and visualizing them in the Wazuh GitHub repository. The indexer source code is located at https://github.com/wazuh/wazuh-indexer, and the dashboard source code is located at https://github.com/wazuh/wazuh-dashboard.. The relevant code is located in the following directories:
wazuh-indexer/src
wazuh-dashboard/src
The source code is licensed under the Apache License 2.0.

I hope this information is helpful. Please let me know if you have any other questions.
Regards,