Wazuh Indexer Initialization plugin
The wazuh-indexer-setup plugin is a module composing the Wazuh Indexer responsible for the initialization of the indices required by Wazuh.
The Wazuh Indexer Setup Plugin in responsible for:
- Create the index templates, to define the mappings and settings for the indices.
- Create the initial indices. We distinguish between stateful and stream indices. While stream indices contain immutable time-series data and are rolled over periodically, stateful indices store dynamic data that can change over time and reside in a single index.
- Stream indices are created with a data stream configuration and an ISM rollover policy.
Indices
The following table lists the indices created by this plugin.
Stream indices
| Index | Description |
|---|---|
wazuh-events-raw-v5 | Stores original unprocessed events. |
wazuh-events-v5-unclassified | Stores uncategorized events for investigation. |
wazuh-active-responses | Stores active response execution requests. |
wazuh‑events-v5-<category> | Stores events received by the Wazuh Manager, categorized by their origin or type. Refer to Wazuh Common Schema for more information. |
wazuh‑findings-v5-<category> | Stores security findings generated by the Threat Detectors. These are created each time an event trips a detection rule. |
wazuh-metrics-agents | Stores statistics about the Wazuh Agents state. |
wazuh-metrics-comms | Stores statistics about the Wazuh Manager usage and performance. The information includes the number of events decoded, bytes received, and TCP sessions. |
Stateful indices
| Index | Description |
|---|---|
wazuh‑states-sca | Security Configuration Assessment (SCA) scan results. |
wazuh-states-fim-files | File Integrity Monitoring: information about monitored files. |
wazuh-states-fim-registry-keys | File Integrity Monitoring: information about the Windows registry (keys). |
wazuh-states-fim-registry-values | File Integrity Monitoring: information about the Windows registry (values). |
wazuh-states-inventory-browser-extensions | Stores browser extensions/add-ons detected on the endpoint (Chromium-based browsers — Chrome/Edge/Brave/Opera —, Firefox, and Safari). |
wazuh-states-inventory-groups | Stores existing groups on the endpoint. |
wazuh-states-inventory-hardware | Basic information about the hardware components of the endpoint. |
wazuh-states-inventory-hotfixes | Contains information about the updates installed on Windows endpoints. This information is used by the vulnerability detector module to discover what vulnerabilities have been patched on Windows endpoints. |
wazuh-states-inventory-interfaces | Stores information (up and down interfaces) as well as packet transfer information about the interfaces on a monitored endpoint. |
wazuh-states-inventory-monitoring | Stores the connection status history of Wazuh agents (active, disconnected, pending, or never connected). The index is used by the Wazuh Dashboard to display agent status and historical trends. |
wazuh-states-inventory-networks | Stores the IPv4 and IPv6 addresses associated with each network interface, as referenced in the wazuh-states-inventory-interfaces index. |
wazuh-states-inventory-packages | Stores information about the currently installed software on the endpoint. |
wazuh-states-inventory-ports | Basic information about open network ports on the endpoint. |
wazuh-states-inventory-processes | Stores the detected running processes on the endpoints. |
wazuh-states-inventory-protocols | Stores routing configuration details for each network interface, as referenced in the wazuh-states-inventory-interfaces index. |
wazuh-states-inventory-services | Stores system services detected on the endpoint (Windows Services, Linux systemd units, and macOS launchd daemons/agents). |
wazuh-states-inventory-system | Operating system information, hostname and architecture. |
wazuh-states-inventory-users | Stores existing users on the endpoint. |
wazuh-states-vulnerabilities | Active vulnerabilities on the endpoint and its details. |
Install
The wazuh-indexer-setup plugin is part of the official Wazuh Indexer packages and is installed by default. However, to manually install the plugin, follow the next steps.
Note: You need to use the
wazuh-indexerorrootuser to run these commands.
/usr/share/wazuh-indexer/bin/opensearch-plugin install file://[absolute-path-to-the-plugin-zip]
Once installed, restart the Wazuh Indexer service.
Uninstall
Note You need to use the
wazuh-indexerorrootuser to run these commands.
To list the installed plugins, run:
/usr/share/wazuh-indexer/bin/opensearch-plugin list
To remove a plugin, use its name as a parameter with the remove command:
/usr/share/wazuh-indexer/bin/opensearch-plugin remove <plugin-name>
/usr/share/wazuh-indexer/bin/opensearch-plugin remove wazuh-indexer-setup