How can I monitor the Wazuh Manager itself using Wazuh?

[Ahmad Shahabi]

Hi everyone,

I would like to monitor my Wazuh Manager server itself as if it were one of the agents.
In other words, I want the Wazuh Manager to report its own logs, configuration assessment, and integrity checks to Wazuh, just like a normal agent would.

What is the proper way to set this up?
Should I install and register the Wazuh agent on the same machine as the manager, and point it to 127.0.0.1 as the manager address?
Are there any best practices or configuration examples for monitoring the manager host itself?

Thanks in advance!

[Olamilekan Abdullateef Ajani]

Hello,

Yes, you can monitor the wazuh server itself. By default, the Wazuh server monitors itself. When you install the Wazuh manager, it automatically includes a built-in agent with ID: 000. This means you don’t need to install a separate agent on the manager to collect its own logs and security events. 

I am sure you are already aware that the wazuh manager also has its own ossec.conf file located here /var/ossec/etc/ossec.conf where you can configure log monitoring with the localfile options.

That being said, All events generated by this internal agent can be viewed in the Discover dashboard. Simply filter by agent ID 000, and you will see detections and activity associated with the Wazuh server itself. This allows you to verify that the manager is being monitored out of the box, just like any other registered agent. Please see the attached reference.

For vulnerability detection, you will have to navigate to the wazuh server internal options file and changing the value of vulnerability-detection.disable_scan_manager from 1 to 0.
 /var/ossec/etc/internal_options.conf .

After modifying the file, you can restart the Wazuh server service: systemctl restart wazuh-manager

Then navigate to the Vulnerability dashboard section and filter by the agent name.

For SCA, You may not be able to select the agent directly from the individual dashboard like the others, but you can find all the necessary information regarding the agent 000 and all the logs pulled from the Discover dashboard.

Please see attached for reference.

[Ahmad Shahabi]

Thank you for your response.

I have a question — why was it decided that we can’t have the Wazuh Manager act as a normal agent, so that we could monitor it just like the others (including running SCA checks) and have full visibility and assurance about the manager itself?

My second question is about Wazuh Manager nodes that are configured as workers — how can I identify or search for them in the dashboard (by which ID or attributes)?

[Olamilekan Abdullateef Ajani]

Hello once again,

As to your question on why, this is by design. In as much as the agent can also perform the functionality of an agent, some of those features are not active by default as I have explained in my previous response, but yes they can be activated. SCA checks are captured by default and you can find the logs in the Discover dashboard as I have also shared in the previous screenshot.

For your second question, you can run the /var/ossec/bin/cluster_control -l command on the worker node to capture their ID.

regards

[Ahmad Shahabi]

Thanks a lot for your help and clear explanation!

[Ahmad Shahabi]

Hello,
I did the steps you mentioned, but I can’t find the Wazuh workers in the Wazuh dashboard.
Did I do something wrong?

On Monday, October 13, 2025 at 4:51:34 PM UTC+3:30 Olamilekan Abdullateef Ajani wrote:

[Olamilekan Abdullateef Ajani]

Hello once again,

So to be clear, the wazuh manager as I mentioned earlier would always retain the local ID of 000. You can use this to filter for the logs on the dashboard. I know you may also want to identify each worker by their logs, that is where the agent name comes in, each wazuh manager in the cluster would have separate names, so that is another point of filtering. Please see attached image for reference.

Apologies for the initial mix-up. You can refer to the attached image filters.

Please let me know if you require further clarification

[Ahmad Shahabi]

Thank you for your response.

I followed your guidance for the cluster setup and was able to see the logs of the wazuh-manager that acts as the master.
However, I still can’t see the logs of the wazuh-manager instances configured as workers.
So, either I’m applying the wrong filters,
or I’ve misunderstood the master and worker roles — and maybe everything related to the Wazuh manager cluster exists only on the master, meaning I should use the master itself for scanning and monitoring the workers.

I’m trying to view the logs related to the workers as well, but I haven’t been successful so far.
That’s why I’m a bit concerned that I might have misconfigured something that caused this issue.

Please guide me so I can have a clearer understanding of how the Wazuh cluster works.
Thank you.

The name of the Wazuh manager (master) is wazuh-manager01,
and the workers are wazuh-manager02 and wazuh-manager03.

When I run the following command:

cluster_control -l

it gives me the following output:

wazuh-1 master 4.13.0 192.168.7.88 
wazuh-2 worker 4.13.0 192.168.7.89 
wazuh-3 worker 4.13.0 192.168.7.90

Even when I try to filter based on wazuh-2 and wazuh-3, I still don’t get any results and can’t see any logs.