Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Wazuh Indexer Initialization plugin

The wazuh-indexer-setup plugin is a module composing the Wazuh Indexer responsible for the initialization of the indices required by Wazuh.

The Wazuh Indexer Setup Plugin in responsible for:

  • Create the index templates, to define the mappings and settings for the indices.
  • Create the initial indices. We distinguish between stateful and stream indices. While stream indices contain immutable time-series data and are rolled over periodically, stateful indices store dynamic data that can change over time and reside in a single index.
  • Stream indices are created with a data stream configuration and an ISM rollover policy.

Indices

The following table lists the indices created by this plugin.

Stream indices

IndexDescription
wazuh-events-raw-v5Stores original unprocessed events.
wazuh-events-v5-unclassifiedStores uncategorized events for investigation.
wazuh-active-responsesStores active response execution requests.
wazuh‑events-v5-<category>Stores events received by the Wazuh Manager, categorized by their origin or type. Refer to Wazuh Common Schema for more information.
wazuh‑findings-v5-<category>Stores security findings generated by the Threat Detectors. These are created each time an event trips a detection rule.
wazuh-metrics-agentsStores statistics about the Wazuh Agents state.
wazuh-metrics-commsStores statistics about the Wazuh Manager usage and performance. The information includes the number of events decoded, bytes received, and TCP sessions.

Stateful indices

IndexDescription
wazuh‑states-scaSecurity Configuration Assessment (SCA) scan results.
wazuh-states-fim-filesFile Integrity Monitoring: information about monitored files.
wazuh-states-fim-registry-keysFile Integrity Monitoring: information about the Windows registry (keys).
wazuh-states-fim-registry-valuesFile Integrity Monitoring: information about the Windows registry (values).
wazuh-states-inventory-browser-extensionsStores browser extensions/add-ons detected on the endpoint (Chromium-based browsers — Chrome/Edge/Brave/Opera —, Firefox, and Safari).
wazuh-states-inventory-groupsStores existing groups on the endpoint.
wazuh-states-inventory-hardwareBasic information about the hardware components of the endpoint.
wazuh-states-inventory-hotfixesContains information about the updates installed on Windows endpoints. This information is used by the vulnerability detector module to discover what vulnerabilities have been patched on Windows endpoints.
wazuh-states-inventory-interfacesStores information (up and down interfaces) as well as packet transfer information about the interfaces on a monitored endpoint.
wazuh-states-inventory-monitoringStores the connection status history of Wazuh agents (active, disconnected, pending, or never connected). The index is used by the Wazuh Dashboard to display agent status and historical trends.
wazuh-states-inventory-networksStores the IPv4 and IPv6 addresses associated with each network interface, as referenced in the wazuh-states-inventory-interfaces index.
wazuh-states-inventory-packagesStores information about the currently installed software on the endpoint.
wazuh-states-inventory-portsBasic information about open network ports on the endpoint.
wazuh-states-inventory-processesStores the detected running processes on the endpoints.
wazuh-states-inventory-protocolsStores routing configuration details for each network interface, as referenced in the wazuh-states-inventory-interfaces index.
wazuh-states-inventory-servicesStores system services detected on the endpoint (Windows Services, Linux systemd units, and macOS launchd daemons/agents).
wazuh-states-inventory-systemOperating system information, hostname and architecture.
wazuh-states-inventory-usersStores existing users on the endpoint.
wazuh-states-vulnerabilitiesActive vulnerabilities on the endpoint and its details.

Install

The wazuh-indexer-setup plugin is part of the official Wazuh Indexer packages and is installed by default. However, to manually install the plugin, follow the next steps.

Note: You need to use the wazuh-indexer or root user to run these commands.

/usr/share/wazuh-indexer/bin/opensearch-plugin install file://[absolute-path-to-the-plugin-zip]

Once installed, restart the Wazuh Indexer service.

Uninstall

Note You need to use the wazuh-indexer or root user to run these commands.

To list the installed plugins, run: /usr/share/wazuh-indexer/bin/opensearch-plugin list

To remove a plugin, use its name as a parameter with the remove command: /usr/share/wazuh-indexer/bin/opensearch-plugin remove <plugin-name>

/usr/share/wazuh-indexer/bin/opensearch-plugin remove wazuh-indexer-setup