Changing Wazuh Internal IP

[Satiswaran Selva Sakeram]

Hi Team, 

We are going to change the internal IP of our wazuh VM, what are the steps needed or action needed to be taken from our end to ensure wazuh has no disruption

Thanks,

Satis

[Jorge Eduardo Silva Jackson]

Hi Satis,

Changing the internal IP of a Wazuh VM can affect communication between Wazuh components and endpoints if they are configured to use the old IP address directly.

To minimize disruption, the required actions depend on your deployment type: all-in-one, distributed, or clustered. The general checklist is the following:

1. Wazuh agents configuration

If your agents currently connect to the manager using its internal IP address, update the manager address in the agent configuration file:

• Linux/Unix agents: /var/ossec/etc/ossec.conf

• Windows agents, 64-bit: C:\Program Files (x86)\ossec-agent\ossec.conf

• Windows agents, 32-bit: C:\Program Files\ossec-agent\ossec.conf

Inside the configuration, update the server block:

<client> <server> <address>NEW_WAZUH_MANAGER_IP_OR_FQDN</address> </server> </client>

Then restart the Wazuh agent service on the endpoints.

To reduce the impact of future IP changes, we recommend configuring agents to use a stable DNS name/FQDN instead of a hardcoded IP address.

2. Internal components and cluster communication

If your deployment has components installed on different nodes, or if any component uses explicit IP addresses, review the configuration files where the old IP may be referenced:

• Wazuh indexer: /etc/wazuh-indexer/opensearch.yml

  • Review settings such as network.host, discovery.seed_hosts, and any other references to the old IP address.

• Filebeat on the Wazuh manager node: /etc/filebeat/filebeat.yml

  • Review the output.elasticsearch.hosts section.

• Wazuh dashboard API connection: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

  • Review the configured Wazuh API url.

• Wazuh dashboard connection to the indexer: /etc/wazuh-dashboard/opensearch_dashboards.yml

  • Review the opensearch.hosts setting.

Only update entries that explicitly reference the old IP address.

3. TLS certificates

Certificate regeneration is required if the old IP address was explicitly used as part of the node identity or Subject Alternative Names during the original certificate generation.

If certificates were generated using DNS names/FQDNs and those names remain unchanged, certificate regeneration may not be necessary.

4. Firewall and network rules

Ensure that local firewalls, security groups, routing rules, or network ACLs allow traffic to the new IP address on the required ports for your deployment. Common Wazuh ports include:

• 1514/TCP for agent event forwarding

• 1515/TCP for agent enrollment

• 55000/TCP for the Wazuh API

• 1516/TCP for Wazuh cluster communication, if using a manager cluster

• 9200/TCP for Wazuh indexer access between components, if separated

• 443/TCP or your configured dashboard port for Wazuh dashboard access

5. Post-change validation

After the IP change and service restarts, verify that:

• Wazuh services are running properly: wazuh-manager, wazuh-indexer, wazuh-dashboard, and filebeat, depending on your deployment.

• Agents reconnect successfully to the manager.

• The dashboard can connect to the Wazuh API.

• The Wazuh manager can send alerts to the Wazuh indexer.

• There are no errors related to the old IP address in Wazuh, Filebeat, dashboard, or indexer logs.

We recommend performing this change during a maintenance window and taking a VM snapshot or backup before making changes.

To provide exact steps for your environment, please confirm whether this is an all-in-one deployment or a distributed/clustered deployment, and whether your agents currently connect using an IP address or an FQDN.