change the IP address on the server

[A Bobrov]

Good day.
We need to change the IP address on the server.
Changing the IP address on the main network card is enough. Do I need to change anything in the wazuh settings?

[A Bobrov]

catch up
We will change the address at the agents

среда, 6 мая 2026 г. в 10:23:03 UTC+3, A Bobrov:

[Nikhil Gurjar]

Hi Bobrov,

Indeed, if you’re going to change the IP of these nodes, you’ll need to generate new certificates that point to the new LAN IPs and update the configuration of inter-communicating Wazuh components. I recommend that you take snapshots of your nodes before doing this.

I would suggest proceeding like this:

• On any one of your nodes, perform the actions in the first section of this documentation to generate new certificates for the new IPs:
  
  Stop before the section to install Wazuh Indexer. This will give you a wazuh-certificates.tar file. Copy the file to all your nodes. Your Wazuh components can remain running while you do this

• If you are changing the IP address of the indexer node or using an All-in-One deployment, on each of your indexer nodes, edit the configuration file /etc/wazuh-indexer/opensearch.yml and change the network.host (first line) to the new IP for that node. If you have several indexers, you’ll need to update their IPs in the lines below too. Save the file, but do not yet restart the indexer

• On each manager node, edit /etc/filebeat/filebeat.yml. In the “hosts” line, update the IP(s) that point to the indexer cluster nodes and save. You can, at this point, stop each of the filebeat instances with: systemctl stop filebeat This will stop indexation, which will later make it safe for us to turn off the indexers

• In the node where you have the dashboard, edit /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml. Near the end of the file, update the URL if necessary. Then edit /etc/wazuh-dashboard/opensearch_dashboards.yml and update the opensearch.hosts line to point at the new node. If you had previously changed server.host to anything other than 0.0.0.0, it will need to be updated too

• At this point, we should stop each of the indexers with: systemctl stop wazuh-indexer as we will start updating the certificates. For each indexer, backup the current certificates by moving them to a subdirectory: mkdir /etc/wazuh-indexer/certs/backup mv /etc/wazuh-indexer/certs/*.pem /etc/wazuh-indexer/certs/backup

  Then install the new certificates by following this section of the documentation:
  
  Note that when setting up the environment variable with the node names, this refers to the names you’ve used in the config.yml configuration file when generating the certificates, refer attach image below:
  

• With this, the certificates are copied and have the correct permissions. Ensure that the certificate file names match those of the old ones. Otherwise, we’ll need either to rename them or to change the name with what they appear in the indexer configuration at /etc/wazuh-indexer/opensearch.yml

• Similarly, on each manager node, move the certificates that are at /etc/filebeat/certs to a subdirectory and install the new certificates following this documentation:
  
  Then verify the names again or update /etc/filebeat/filebeat.yml

• The process is quite the same for the dashboard. As we haven’t stopped the service yet, let’s do that first: systemctl stop wazuh-dashboard Then follow the documentation to update the certificates:

  
  And verify their names

• We’re done with configuration and certificates. It’s time to shut down the managers, which we’ve left running to allow for log processing during the procedure: systemctl stop wazuh-manager

  
  

• With all the components stopped, you can proceed to physically switch IPs for your nodes. Check that the new ones are up and then bring up the services starting with the manager: systemctl start wazuh-manager systemctl start wazuh-indexer systemctl start filebeat systemctl start wazuh-dashboard

Once all configurations have been updated and all components are communicating correctly with each other, you can proceed with updating the manager address on the Wazuh agents.

Hope this information is helpful for you. Please let us know if you've further queries or questions here. Best regards, Nikhil

[A Bobrov]

Dear Nikhil, thank you for such detailed information, examples, and tips.
We have an All-in-One deployment system. It would probably be easier for us to reinstall the entire system. Hence the question: we're stopping all wazuh services.
How can we safely uninstall wazuh after stopping it, so we can start a new, clean installation using Quickstart?
Thanks again, Nikhil!

среда, 6 мая 2026 г. в 11:01:52 UTC+3, Nikhil Gurjar:

[Nikhil Gurjar]

Hi Bobrov,

It is not recommended to uninstall and reinstall the entire Wazuh environment solely to change the IP address, especially in a production environment, as this might result in the loss of existing configurations, log data, integrations, and other custom settings. Updating the existing configuration is generally the safer and more efficient approach.

You may proceed with the previously shared steps to update the IP address across the required Wazuh components.

However, if you still prefer to perform a clean reinstallation, please refer to the official Wazuh documentation for the complete uninstallation procedure: https://documentation.wazuh.com/current/installation-guide/uninstalling-wazuh/central-components.html 

After completing the uninstallation steps, please also manually verify and remove any remaining directories if needed, such as:

• /var/ossec/
• /var/lib/wazuh-*
• /etc/wazuh-*
  
  

Hope this information is helpful for you. Please let us know if you've further queries or questions here. Best regards, Nikhil

[A Bobrov]

Yeah, thanks!!!
And one more related question. Could you tell me where the client file is located, which is filled out as wazuh agents contact me from their workstations?
Thanks, Nikhil!!!

среда, 6 мая 2026 г. в 11:44:45 UTC+3, Nikhil Gurjar:

[A Bobrov]

Deploying certificates
https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#deploying-certificates

Note: Make sure a copy of the wazuh-certificates.tar file created during the initial setup is in your working directory.
=========================
So, for the new address, I'm using the previously created certificate set?

среда, 6 мая 2026 г. в 12:00:46 UTC+3, A Bobrov:

[A Bobrov]

+ 

all settings are located on one server, and the default server address 127.0.0.1 is specified in the configuration files.

cat /etc/wazuh-indexer/opensearch.yml
network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
cluster.name: "wazuh-cluster"

cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
- 127.0.0.1:9200
# - <elasticsearch_ip_node_2>:9200
# - <elasticsearch_ip_node_3>:9200

output.elasticsearch:

cat /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

hosts:
- default:
URL: https://127.0.0.1
port: 55000
username: wazuh-wui
password: "##########"
run_as: false

A copy of the wazuh-certificates.tar file was created during the initial setup and is located in the working directory.

ls
indexer.log output.log wazuh-install-files.tar wazuh-install.sh

So, can I use a previously created set of certificates for the new address?
And how can I access the wazuh web console later?
Will the wazuh web console be able to connect after changing the network card address, or does this change for the web somewhere else?
Thanks!!!

среда, 6 мая 2026 г. в 13:07:28 UTC+3, A Bobrov:

[Nikhil Gurjar]

Hi Bobrov,
I apologize for the delayed response. Let me address your queries in detail.

And one more related question. Could you tell me where the client file is located, which is filled out as wazuh agents contact me from their workstations?

The client.keys file is located under the following directory: /var/ossec/etc/. This file contains the agent registration information and can be used to identify the workstations connected to your current Wazuh server.

So, for the new address, I'm using the previously created certificate set?

If you are deploying a completely new environment, it is not recommended to reuse the old certificates. Instead, you should generate a new certificate set using the actual IP address or hostname of the new server. You can follow the certificate generation steps from the official Wazuh documentation below:  https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html#initial-configuration 


And similarly update the IP value inside the configuration files as reference below:

1. Edit the Wazuh indexer configuration file at /etc/wazuh-indexer/opensearch.yml to specify the Wazuh indexer IP address and NODE_NAME as mentioned in config.yml file:
network.host: "<WAZUH_INDEXER_IP>" node.name: "<WAZUH_INDEXER_NODE_NAME>" cluster.initial_master_nodes: - "<WAZUH_INDEXER_NODE_NAME>"

2. Edit the Filebeat configuration file /etc/filebeat/filebeat.yml to specify the Wazuh indexer's IP address: 
output.elasticsearchhosts: - <WAZUH_INDEXER_IP>:9200
3. Edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include connection details for the Wazuh indexer node:
opensearch.hosts: https://<WAZUH_INDEXER_IP>:9200
4. Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and replace the url value with the IP address or hostname of the Wazuh server master node:
hosts: - default: url: https://<EXISTING_WAZUH_SERVER_IP> port: 55000 username: wazuh-wui password: <WAZUH-WUI-PASSWORD> run_as: false
5. Edit /var/ossec/etc/ossec.conf to configure the indexer connection.
<indexer>
  <enabled>yes</enabled>
   <hosts>    <host>https://<YOUR_SERVER_IP>:9200</host>    </hosts>

Once the changes are done restart the each component individually.  Also you can reference the step by step documentation steps for the configuration reference: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html 

Hope it helps you. Please feel free to let us know if you've further queries or questions here.

Best regards,
Nikhil

[A Bobrov]

Dear Nikhil, good afternoon!!!
Thank you again for your attention and your responses. I'll set up a test circuit and test the adjustable settings there, and then I'll try to redo everything on the production circuit. I'll rely on your invaluable advice, experience, and the links you kindly provided.
THANK YOU, Nikhil.

четверг, 7 мая 2026 г. в 09:38:46 UTC+3, Nikhil Gurjar:

[A Bobrov]

1.
installation has started
07/05/2026 11:47:09 INFO: Generating Filebeat certificates.
07/05/2026 11:47:09 INFO: Generating Wazuh dashboard certificates.
05/07/2026 11:47:10 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
07/05/2026 11:47:10 INFO: --- Wazuh indexer ---
07/05/2026 11:47:10 INFO: Starting Wazuh indexer installation.


2.
The certificate file
wazuh-install-files.tar has been created

3.
Next, I set the IP address in the configuration files
/etc/wazuh-indexer/opensearch.yml
/etc/filebeat/filebeat.yml
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
I start sequentially

systemctl start wazuh-manager
systemctl start wazuh-indexer
systemctl start filebeat
systemctl start wazuh-dashboard

===================================
Now change the IP
1.
Stop services
systemctl stop wazuh-manager
systemctl stop wazuh-indexer
systemctl stop filebeat
systemctl stop wazuh-dashboard

2.

So, can I use a previously created set of certificates for the new address?

Although I have your link
https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#deploying-certificates

Generating the SSL certificates
Download the wazuh-certs-tool.sh script and the config.yml configuration file. This creates the certificates that encrypt communications between the Wazuh central components.


curl -sO https://packages.wazuh.com/4.14/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.14/config.yml

Is this it? :) :) :)

четверг, 7 мая 2026 г. в 11:19:18 UTC+3, A Bobrov:

[A Bobrov]

Change new IP address in the configuration files

/etc/wazuh-indexer/opensearch.yml
/etc/filebeat/filebeat.yml
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
I start sequentially
systemctl start wazuh-manager
systemctl start wazuh-indexer
systemctl start filebeat
systemctl start wazuh-dashboard

четверг, 7 мая 2026 г. в 12:01:15 UTC+3, A Bobrov:

[Nikhil Gurjar]

Hi  Bobrov

Yes, your configuration looks correct. After starting the services, please validate the status of each component using: systemctl status <component_name> (for example: systemctl status wazuh-indexer). Also verify Filebeat communication with the Indexer using: filebeat test output

Once all services are confirmed to be in an active (running) state and Filebeat communication is successful, verify that the Wazuh dashboard is accessible using the new IP address.

Best regards,