How to create a read-only user for the API

40 views
Skip to first unread message

Facu Basgall

unread,
Jun 1, 2026, 11:11:50 AM (6 days ago) Jun 1
to Wazuh | Mailing List

Hi, 

I would like to create a user to use the indexer API for, amongst other things, querying events.

I understand that this cannot be done with the manager API, but it is possible to create a cULR like the following:

curl -u wazuh-wui:wazuh-wui -k -X GET "https://IP_WAZUH:55000/wazuh-alerts-*/_search
{
"size": 20,
"sort": [
{
"timestamp": {
"order": "desc"
}
}
],
"_source": [
"timestamp",
"agent.id",
"agent.name",
"rule.id",
"rule.level",
"rule.description",
"decoder.name",
"location",
"full_log"
],
"query": {
"match_all": {}
}
}"

Could you help me create a user with read-only permissions to use the API?

I understand that this would be similar to the wazuh-wui user but with read-only access, meaning it would not allow any changes to be made to Wazuh.


Thank you


Anthony Faruna

unread,
Jun 1, 2026, 2:15:06 PM (6 days ago) Jun 1
to Wazuh | Mailing List
Yes, it is possible to create an API user with read-only access. You can refer to the Wazuh documentation on creating a read-only user, which provides end-to-end steps for this setup.This process allows you to create a user with read-only access to both the Wazuh Manager API and the Indexer API.

I have tested this on my end by following the documentation and confirmed that the user has read access but no write permissions. I have also attached screenshots of the indexer and manager roles for your reference.

Overview of the steps:
  • Create an internal user in the Wazuh Dashboard
  • Create a new role with read-only permissions for cluster, index, and tenant access, and map the user to this role
    • This allows the user to view alerts, vulnerabilities, IT hygiene data, and dashboards
  • Create a role mapping in Wazuh to associate the user with a readonly role
    • This grants read-only access to the Wazuh Manager API (e.g., decoders, rules, agent details)
  • Ensure that run_as is set to true in the Wazuh configuration, then restart the dashboard

Please let me know if you have any questions or need further assistance.
image (4).png
image (3).png

Facu Basgall

unread,
Jun 1, 2026, 2:51:18 PM (5 days ago) Jun 1
to Wazuh | Mailing List

OK, I’ve managed to follow those steps.

But is that enough to be able to use the API?

Is there any documentation on how to query events via the API?

From what I’ve read and understood, I can’t do that with this documentation: https://documentation.wazuh.com/current/user-manual/api/reference.html 

Anthony Faruna

unread,
Jun 1, 2026, 7:39:19 PM (5 days ago) Jun 1
to Wazuh | Mailing List
Hello Facu,

Please can you confirm that you tried to use the WazuhAPI user you created following the steps, and that it was not working as expected?

You can see practical use cases of the Wazuh server API at https://documentation.wazuh.com/current/user-manual/api/use-cases.html

Also, you can see practical use cases of the Wazuh indexer API at https://documentation.wazuh.com/current/user-manual/indexer-api/use-case.html

Regards
Reply all
Reply to author
Forward
0 new messages