Wazuh ships with OpenSearch (the open-source fork of Elasticsearch) and OpenSearch Dashboards as its default indexing and visualization layer. This integration provides powerful log analysis, alert correlation, and security dashboard capabilities — all managed through Docker Compose.
For the complete setup guide, see our Wazuh Docker Compose Setup — covers the full Wazuh stack including the OpenSearch indexer and dashboard.
How Wazuh Integrates with Elastic/OpenSearch
| Component | Role |
|---|---|
| Wazuh Manager | Collects security events from agents, analyzes them with rules |
| Wazuh Indexer (OpenSearch) | Stores and indexes security alerts for fast querying |
| Wazuh Dashboard (OpenSearch Dashboards) | Visualizes alerts, creates custom dashboards, manages configuration |
Key Integration Features
- Automatic alert indexing: All security events are indexed in OpenSearch
- Pre-built dashboards: Security overview, threat detection, vulnerability reports
- Custom queries: Use OpenSearch Query DSL for advanced threat hunting
- Alert correlation: Link related events across multiple agents and timeframes
- Retention policies: Configure index lifecycle management for log rotation
Deployment
The Wazuh Docker Compose stack includes all three components:
cd ~/docker/wazuh
docker compose up -d
# Dashboard: https://your-server-ip:5601
# API: https://your-server-ip:55000
# Indexer: https://your-server-ip:9200
For the complete deployment guide, agent setup, and security configuration, visit our Wazuh Docker Compose Setup guide.