Wazuh Environment Planning
63 views
Skip to first unread message
Tejo Sai
Mar 27, 2025, 7:14:57 AM3/27/25
to Wazuh | Mailing List
Hello,
I want to deploy a wazuh environment, which is a test environment and integrate office365. whats the step by step process to be configured to deploy a efficient environment. like install> start cluster> configure index lifecycle management. Please clarify my doubt about and also give best practices for a error free error deployment. also I want to store logs of 180 days. Now in first test deployment i am only able to see logs for 2 days... this mistakes shouldnt be repeated me. kindly guide me to deploy a efficient wazuh environment no errors.
I want to deploy a wazuh environment, which is a test environment and integrate office365. whats the step by step process to be configured to deploy a efficient environment. like install> start cluster> configure index lifecycle management. Please clarify my doubt about and also give best practices for a error free error deployment. also I want to store logs of 180 days. Now in first test deployment i am only able to see logs for 2 days... this mistakes shouldnt be repeated me. kindly guide me to deploy a efficient wazuh environment no errors.
Hernan Matias Villan
Mar 28, 2025, 12:24:53 PM3/28/25
to Wazuh | Mailing List
Hello, Tejo
The recommended way to deploy Wazuh without issues is to follow the guide outlined in the official documentation: wazuh/external-devel-requests#5425. Particularly the Assisted installation method: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html#installing-the-wazuh-indexer-using-the-assisted-installation-method.
Once your Wazuh environment is up and running, you can use the following documentation to set up your Office 365 integration: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html#installing-the-wazuh-indexer-using-the-assisted-installation-method.
Wazuh does not have a data retention policy set by default, so It's highly recommended that you define your own. You can use the following documentation for setting it for your indexer: https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html (this is how far back you can see the alerts in your interface). Without this, the alerts will be stored indefinitely.
The recommended way to deploy Wazuh without issues is to follow the guide outlined in the official documentation: wazuh/external-devel-requests#5425. Particularly the Assisted installation method: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html#installing-the-wazuh-indexer-using-the-assisted-installation-method.
Once your Wazuh environment is up and running, you can use the following documentation to set up your Office 365 integration: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html#installing-the-wazuh-indexer-using-the-assisted-installation-method.
Wazuh does not have a data retention policy set by default, so It's highly recommended that you define your own. You can use the following documentation for setting it for your indexer: https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html (this is how far back you can see the alerts in your interface). Without this, the alerts will be stored indefinitely.
Tejo Sai
Mar 29, 2025, 12:27:25 AM3/29/25
to Wazuh | Mailing List
Thanks Hernan for responding,
The procedure i will follow is, Deploy wazuh indexer, server and dashboard and then I want to enable the wazuh-archives* indices and then I will set the index lifecycle management policy.
Help me out how to enable wazuh archives indices, and set the index lifecycle management policy to 180 days
Regards,
Help me out how to enable wazuh archives indices, and set the index lifecycle management policy to 180 days
Regards,
Tejo Sai
Tejo Sai
Mar 29, 2025, 2:45:43 AM3/29/25
to Wazuh | Mailing List
Hello Hernan,
I am getting this following error when to trying to login to the wazuh dashboard.
Tejo Sai
Mar 29, 2025, 3:53:41 AM3/29/25
to Wazuh | Mailing List
Hello,
I also check for the existing indices using the dev tools, in that i am not able to find wazuh-alerts-* and wazuh-archives-*. I attached the screenshot below.
I also check for the existing indices using the dev tools, in that i am not able to find wazuh-alerts-* and wazuh-archives-*. I attached the screenshot below.
Hernan Matias Villan
Apr 10, 2025, 3:18:22 PM4/10/25
to Wazuh | Mailing List
Hello, Tejo
If the indexes have not been created, it could be an issue with Filebeat not forwarding the alerts correctly to the Indexer. How was this environment deployed? Did you use the assisted installation or the step-by-step one? (https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html).
Please verify that Filebeat's Wazuh module has been properly installed (only do this if no custom configuration has been set on the module, otherwise please make a backup of your setting before executing this):
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
Restart Filebeat:
systemctl restart filebeat
And execute a test to see if it's able to properly connect to the Indexer by executing:
filebeat test output
You should see something like this:
[root@manager01 x]# filebeat test output
elasticsearch: https://192.168.0.164:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.0.164
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
If the indexes have not been created, it could be an issue with Filebeat not forwarding the alerts correctly to the Indexer. How was this environment deployed? Did you use the assisted installation or the step-by-step one? (https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html).
Please verify that Filebeat's Wazuh module has been properly installed (only do this if no custom configuration has been set on the module, otherwise please make a backup of your setting before executing this):
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
Restart Filebeat:
systemctl restart filebeat
And execute a test to see if it's able to properly connect to the Indexer by executing:
filebeat test output
You should see something like this:
[root@manager01 x]# filebeat test output
elasticsearch: https://192.168.0.164:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.0.164
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
This will help us narrow down where the issue might be happening.
Reply all
Reply to author
Forward
0 new messages