Description
The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability.
The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names or properties, with their corresponding values which can be strings, numbers, booleans, dates, arrays of values, geolocations, or other types of data.
An index is a collection of documents that are related to each other. The documents stored in the Wazuh indexer are distributed across different containers known as shards. By distributing the documents across multiple shards, and distributing those shards across multiple nodes, the Wazuh indexer can ensure redundancy. This protects your system against hardware failures and increases query capacity as nodes are added to a cluster.
The Wazuh indexer stores the data collected by the Wazuh agents in separate indices. Each index contains documents with specific inventory information. In this section, you can find a description of the information in each index.
| Index | Description |
|---|---|
| wazuh-agents | Stores information about the agents, such as name, IP, ID, groups... |
| wazuh‑alerts | Stores alerts generated by the Wazuh server. These are created each time an event trips a rule with a high enough priority (this threshold is configurable). |
| wazuh-commands | Commands are used as a communication mechanism between the different Wazuh Central Components. This index stores detailed information about these commands, as its status, destination, origin and issued time. |
| wazuh-states-fim | File Integrity Monitoring registries. |
| wazuh-states-inventory-hardware | Basic information about the hardware components of an endpoint. |
| wazuh-states-inventory-hotfixes | Contains information about the updates installed on Windows endpoints. This information is used by the vulnerability detector module to discover what vulnerabilities have been patched on Windows endpoints. |
| wazuh-states-inventory-networks | Network information, such as network interfaces, protocols and traffic summary. |
| wazuh-states-inventory-packages | Stores information about the currently installed software on the endpoint. |
| wazuh-states-inventory-ports | Basic information about open network ports on the endpoint. |
| wazuh-states-inventory-processes | Stores the detected running processes on the endpoints. |
| wazuh-states-inventory-system | Operating system information, hostname and architecture. |
| wazuh-states-sca | Stores Security Configuration Assessment (SCA) results. |
| wazuh-states-vulnerabilities | Active vulnerabilities on the endpoint and its details. |
| wazuh‑archives | Stores all events (archive data) received by the Wazuh server, whether they trip a rule. |
| wazuh-internal-users | Stores information about internal users, including authentication details and role-based access control (RBAC) permissions. |
| wazuh-custom-users | Stores information about custom users defined by administrators, including user-specific roles and permissions. |
| wazuh-cve | Stores information about Common Vulnerabilities and Exposures (CVEs) and their details. |