OpenSearch/Wazuh Indexer Setup and Management Guide#

This document provides instructions for setting up, configuring, and managing an OpenSearch cluster that serves as a Wazuh indexer. It covers installation, backup procedures, configuration paths, and basic health checks.

System Overview#

The setup consists of:

OpenSearch 2.11.1+ (latest stable) serving as a Wazuh indexer
Compatible with Wazuh 4.7.x and 4.8.x
Single-node cluster configuration (with multi-node scaling options)
Security plugin enabled with admin authentication

Updated Installation Process (2025)#

Prerequisites#

Hardware Requirements:
- Minimum: 8GB RAM, 4 CPU cores, 100GB SSD
- Recommended: 16GB RAM, 8 CPU cores, 500GB NVMe SSD
- Enterprise: 32GB+ RAM, 16+ CPU cores, 1TB+ NVMe SSD in RAID configuration
Software Requirements:
- Ubuntu 22.04 LTS or RHEL 8.x/9.x
- Java 11 or 17 (OpenJDK recommended)
- Python 3.8+ for management scripts

Quick Installation Script#

1
#!/bin/bash
2
# OpenSearch/Wazuh Indexer Quick Setup Script - 2025
3

4
# Set version variables
5
OPENSEARCH_VERSION="2.11.1"
6
WAZUH_VERSION="4.8.0"
7

8
# Update system
9
sudo apt-get update && sudo apt-get upgrade -y
10

11
# Install dependencies
12
sudo apt-get install -y curl wget unzip apt-transport-https ca-certificates gnupg lsb-release
13

14
# Install Java
15
sudo apt-get install -y openjdk-11-jdk
16

17
# Set JAVA_HOME
18
echo "export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64" | sudo tee -a /etc/environment
19
source /etc/environment
20

21
# Download and install OpenSearch
22
wget https://artifacts.opensearch.org/releases/bundle/opensearch/${OPENSEARCH_VERSION}/opensearch-${OPENSEARCH_VERSION}-linux-x64.tar.gz
23
tar -xzf opensearch-${OPENSEARCH_VERSION}-linux-x64.tar.gz
24
sudo mv opensearch-${OPENSEARCH_VERSION} /opt/opensearch
25

26
# Configure system limits
27
echo "opensearch soft nofile 65536" | sudo tee -a /etc/security/limits.conf
28
echo "opensearch hard nofile 65536" | sudo tee -a /etc/security/limits.conf
29
echo "opensearch soft memlock unlimited" | sudo tee -a /etc/security/limits.conf
30
echo "opensearch hard memlock unlimited" | sudo tee -a /etc/security/limits.conf
31

32
# Configure sysctl
33
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
34
sudo sysctl -p
35

36
# Create opensearch user
37
sudo useradd -m -s /bin/bash opensearch
38
sudo chown -R opensearch:opensearch /opt/opensearch
39

40
# Create necessary directories
41
sudo mkdir -p /var/log/opensearch
42
sudo mkdir -p /var/lib/opensearch
43
sudo chown -R opensearch:opensearch /var/log/opensearch
44
sudo chown -R opensearch:opensearch /var/lib/opensearch

Directory Structure#

The key directories and configuration files are:

1
/opt/opensearch/                 # Main installation directory
2
├── config/                      # Configuration files
3
│   ├── opensearch.yml          # Main configuration
4
│   ├── jvm.options             # JVM settings
5
│   ├── log4j2.properties       # Logging configuration
6
│   └── opensearch-security/    # Security plugin configs
7
├── logs/                       # Log files
8
├── data/                       # Index data
9
└── plugins/                    # Installed plugins
10

11
/etc/systemd/system/opensearch.service  # Systemd service file
12
/var/log/opensearch/            # Alternative log location
13
/var/lib/opensearch/            # Alternative data location

Configuration#

1. Basic OpenSearch Configuration#

Edit /opt/opensearch/config/opensearch.yml:

1
# Cluster Settings
2
cluster.name: wazuh-cluster
3
node.name: wazuh-node-1
4

5
# Network Settings
6
network.host: 0.0.0.0
7
http.port: 9200
8
transport.port: 9300
9

10
# Discovery Settings (for single node)
11
discovery.type: single-node
12

13
# Path Settings
14
path.data: /var/lib/opensearch
15
path.logs: /var/log/opensearch
16

17
# Memory Lock
18
bootstrap.memory_lock: true
19

20
# Security Settings
21
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
22
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
23
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
24
plugins.security.ssl.transport.enforce_hostname_verification: false
25
plugins.security.ssl.http.enabled: true
26
plugins.security.ssl.http.pemcert_filepath: esnode.pem
27
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
28
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
29
plugins.security.allow_unsafe_democertificates: true
30
plugins.security.allow_default_init_securityindex: true
31
plugins.security.authcz.admin_dn:
32
  - CN=admin,OU=UNIT,O=ORG,L=CITY,ST=STATE,C=US
33
plugins.security.audit.type: internal_opensearch
34
plugins.security.enable_snapshot_restore_privilege: true
35
plugins.security.check_snapshot_restore_write_privileges: true
36
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
37
plugins.security.system_indices.enabled: true
38
plugins.security.system_indices.indices: [".opendistro-*", ".opensearch-*", ".kibana*", ".wazuh*"]

2. JVM Configuration#

Edit /opt/opensearch/config/jvm.options:

1
# Heap size (set to 50% of available RAM, max 32GB)
2
-Xms8g
3
-Xmx8g
4

5
# GC configuration
6
-XX:+UseG1GC
7
-XX:G1ReservePercent=25
8
-XX:InitiatingHeapOccupancyPercent=30
9

10
# GC logging
11
-XX:+PrintGCDetails
12
-XX:+PrintGCDateStamps
13
-XX:+PrintTenuringDistribution
14
-XX:+PrintGCApplicationStoppedTime
15

16
# Error handling
17
-XX:+ExitOnOutOfMemoryError

3. Systemd Service Configuration#

Create /etc/systemd/system/opensearch.service:

1
[Unit]
2
Description=OpenSearch
3
Documentation=https://opensearch.org/docs/
4
Wants=network-online.target
5
After=network-online.target
6

7
[Service]
8
Type=notify
9
RuntimeDirectory=opensearch
10
PrivateTmp=true
11
Environment=OPENSEARCH_HOME=/opt/opensearch
12
Environment=OPENSEARCH_PATH_CONF=/opt/opensearch/config
13
Environment=JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
14

15
WorkingDirectory=/opt/opensearch
16

17
User=opensearch
18
Group=opensearch
19

20
ExecStart=/opt/opensearch/bin/opensearch
21

22
StandardOutput=journal
23
StandardError=inherit
24

25
LimitNOFILE=65536
26
LimitNPROC=4096
27
LimitAS=infinity
28
LimitFSIZE=infinity
29
LimitMEMLOCK=infinity
30

31
TimeoutStopSec=0
32
KillSignal=SIGTERM
33
KillMode=process
34
SendSIGKILL=no
35
SuccessExitStatus=143
36

37
[Install]
38
WantedBy=multi-user.target

Enable and start the service:

1
sudo systemctl daemon-reload
2
sudo systemctl enable opensearch
3
sudo systemctl start opensearch

Security Configuration#

1. Generate SSL Certificates#

1
#!/bin/bash
2
# Generate SSL certificates for OpenSearch
3

4
cd /opt/opensearch/config/
5

6
# Generate root CA
7
openssl genrsa -out root-ca-key.pem 2048
8
openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730 \
9
    -subj "/C=US/ST=STATE/L=CITY/O=ORG/OU=UNIT/CN=root"
10

11
# Generate admin cert
12
openssl genrsa -out admin-key-temp.pem 2048
13
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
14
openssl req -new -key admin-key.pem -out admin.csr \
15
    -subj "/C=US/ST=STATE/L=CITY/O=ORG/OU=UNIT/CN=admin"
16
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
17

18
# Generate node cert
19
openssl genrsa -out esnode-key-temp.pem 2048
20
openssl pkcs8 -inform PEM -outform PEM -in esnode-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out esnode-key.pem
21
openssl req -new -key esnode-key.pem -out esnode.csr \
22
    -subj "/C=US/ST=STATE/L=CITY/O=ORG/OU=UNIT/CN=node1"
23
openssl x509 -req -in esnode.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out esnode.pem -days 730
24

25
# Clean up
26
rm admin-key-temp.pem esnode-key-temp.pem admin.csr esnode.csr
27

28
# Set permissions
29
chown opensearch:opensearch *.pem
30
chmod 600 *-key.pem
31
chmod 644 *.pem

2. Initialize Security#

1
cd /opt/opensearch/plugins/opensearch-security/tools/
2
sudo -u opensearch ./securityadmin.sh -cd ../securityconfig/ -icl -nhnv \
3
    -cacert /opt/opensearch/config/root-ca.pem \
4
    -cert /opt/opensearch/config/admin.pem \
5
    -key /opt/opensearch/config/admin-key.pem

3. Create Wazuh User#

1
# Generate password hash
2
WAZUH_PASSWORD="MySecurePassword123!"
3
HASH=$(sh /opt/opensearch/plugins/opensearch-security/tools/hash.sh -p "$WAZUH_PASSWORD")
4

5
# Create internal user
6
curl -XPUT https://localhost:9200/_plugins/_security/api/internalusers/wazuh \
7
    -u admin:admin \
8
    -k \
9
    -H 'Content-Type: application/json' \
10
    -d '{
11
  "password": "'$WAZUH_PASSWORD'",
12
  "backend_roles": ["wazuh_admin"],
13
  "attributes": {
14
    "attribute1": "value1"
15
  }
16
}'
17

18
# Create role
19
curl -XPUT https://localhost:9200/_plugins/_security/api/roles/wazuh_admin \
20
    -u admin:admin \
21
    -k \
22
    -H 'Content-Type: application/json' \
23
    -d '{
24
  "cluster_permissions": ["cluster_all"],
25
  "index_permissions": [{
26
    "index_patterns": ["wazuh-*", ".wazuh*"],
27
    "allowed_actions": ["indices_all"]
28
  }]
29
}'
30

31
# Map user to role
32
curl -XPUT https://localhost:9200/_plugins/_security/api/rolesmapping/wazuh_admin \
33
    -u admin:admin \
34
    -k \
35
    -H 'Content-Type: application/json' \
36
    -d '{
37
  "backend_roles": ["wazuh_admin"],
38
  "users": ["wazuh"]
39
}'

Performance Tuning#

1. Index Settings#

1
# Create index template for Wazuh indices
2
curl -XPUT https://localhost:9200/_index_template/wazuh-template \
3
    -u admin:admin \
4
    -k \
5
    -H 'Content-Type: application/json' \
6
    -d '{
7
  "index_patterns": ["wazuh-alerts-*", "wazuh-archives-*"],
8
  "template": {
9
    "settings": {
10
      "index": {
11
        "number_of_shards": 3,
12
        "number_of_replicas": 0,
13
        "refresh_interval": "5s",
14
        "translog.durability": "async",
15
        "translog.sync_interval": "5s",
16
        "codec": "best_compression"
17
      }
18
    },
19
    "mappings": {
20
      "dynamic_templates": [{
21
        "strings_as_keywords": {
22
          "match_mapping_type": "string",
23
          "mapping": {
24
            "type": "keyword",
25
            "ignore_above": 1024
26
          }
27
        }
28
      }]
29
    }
30
  },
31
  "priority": 1
32
}'

2. Shard Allocation Settings#

1
# Configure shard allocation
2
curl -XPUT https://localhost:9200/_cluster/settings \
3
    -u admin:admin \
4
    -k \
5
    -H 'Content-Type: application/json' \
6
    -d '{
7
  "persistent": {
8
    "cluster.routing.allocation.disk.threshold_enabled": true,
9
    "cluster.routing.allocation.disk.watermark.low": "85%",
10
    "cluster.routing.allocation.disk.watermark.high": "90%",
11
    "cluster.routing.allocation.disk.watermark.flood_stage": "95%",
12
    "indices.breaker.total.limit": "75%",
13
    "indices.breaker.request.limit": "60%",
14
    "indices.breaker.fielddata.limit": "40%"
15
  }
16
}'

Monitoring and Health Checks#

1. Cluster Health Script#

Create /opt/opensearch/scripts/health_check.sh:

1
#!/bin/bash
2
# OpenSearch Health Check Script
3

4
OPENSEARCH_URL="https://localhost:9200"
5
AUTH="admin:admin"
6

7
echo "=== OpenSearch Cluster Health ==="
8
curl -s -k -u $AUTH "$OPENSEARCH_URL/_cluster/health?pretty"
9

10
echo -e "\n=== Node Statistics ==="
11
curl -s -k -u $AUTH "$OPENSEARCH_URL/_nodes/stats/os,jvm,indices?pretty" | \
12
    jq '.nodes[] | {
13
        name: .name,
14
        cpu_percent: .os.cpu.percent,
15
        memory_used_percent: .os.mem.used_percent,
16
        heap_used_percent: .jvm.mem.heap_used_percent,
17
        disk_used: .indices.store.size_in_bytes
18
    }'
19

20
echo -e "\n=== Index Statistics ==="
21
curl -s -k -u $AUTH "$OPENSEARCH_URL/_cat/indices?v&h=index,docs.count,store.size,health,status&s=index"
22

23
echo -e "\n=== Pending Tasks ==="
24
curl -s -k -u $AUTH "$OPENSEARCH_URL/_cluster/pending_tasks?pretty"
25

26
echo -e "\n=== Thread Pool Stats ==="
27
curl -s -k -u $AUTH "$OPENSEARCH_URL/_cat/thread_pool?v&h=name,active,queue,rejected"

2. Automated Monitoring#

Create /opt/opensearch/scripts/monitor.py:

1
#!/usr/bin/env python3
2
import requests
3
import json
4
import smtplib
5
from email.mime.text import MIMEText
6
from datetime import datetime
7
import urllib3
8
urllib3.disable_warnings()
9

10
# Configuration
11
OPENSEARCH_URL = "https://localhost:9200"
12
AUTH = ("admin", "admin")
13
THRESHOLDS = {
14
    "heap_percent": 85,
15
    "disk_percent": 85,
16
    "cpu_percent": 90
17
}
18
ALERT_EMAIL = "admin@example.com"
19
SMTP_SERVER = "localhost"
20

21
def check_cluster_health():
22
    response = requests.get(
23
        f"{OPENSEARCH_URL}/_cluster/health",
24
        auth=AUTH,
25
        verify=False
26
    )
27
    health = response.json()
28

29
    alerts = []
30
    if health['status'] != 'green':
31
        alerts.append(f"Cluster status is {health['status']}")
32

33
    return alerts
34

35
def check_node_stats():
36
    response = requests.get(
37
        f"{OPENSEARCH_URL}/_nodes/stats",
38
        auth=AUTH,
39
        verify=False
40
    )
41
    stats = response.json()
42

43
    alerts = []
44
    for node_id, node in stats['nodes'].items():
45
        name = node['name']
46
        heap_percent = node['jvm']['mem']['heap_used_percent']
47

48
        if heap_percent > THRESHOLDS['heap_percent']:
49
            alerts.append(f"Node {name}: Heap usage is {heap_percent}%")
50

51
    return alerts
52

53
def send_alerts(alerts):
54
    if not alerts:
55
        return
56

57
    body = "OpenSearch Alerts:\n\n" + "\n".join(alerts)
58
    msg = MIMEText(body)
59
    msg['Subject'] = f"OpenSearch Alert - {datetime.now()}"
60
    msg['From'] = "opensearch@example.com"
61
    msg['To'] = ALERT_EMAIL
62

63
    with smtplib.SMTP(SMTP_SERVER) as s:
64
        s.send_message(msg)
65

66
if __name__ == "__main__":
67
    all_alerts = []
68
    all_alerts.extend(check_cluster_health())
69
    all_alerts.extend(check_node_stats())
70

71
    if all_alerts:
72
        print("Alerts found:")
73
        for alert in all_alerts:
74
            print(f"  - {alert}")
75
        send_alerts(all_alerts)
76
    else:
77
        print("All checks passed")

Backup and Recovery#

1. Snapshot Repository Setup#

1
# Create snapshot repository
2
curl -XPUT https://localhost:9200/_snapshot/wazuh_backup \
3
    -u admin:admin \
4
    -k \
5
    -H 'Content-Type: application/json' \
6
    -d '{
7
  "type": "fs",
8
  "settings": {
9
    "location": "/var/lib/opensearch/snapshots",
10
    "compress": true
11
  }
12
}'
13

14
# Create snapshot directory
15
sudo mkdir -p /var/lib/opensearch/snapshots
16
sudo chown opensearch:opensearch /var/lib/opensearch/snapshots

2. Automated Backup Script#

Create /opt/opensearch/scripts/backup.sh:

1
#!/bin/bash
2
# OpenSearch Backup Script
3

4
OPENSEARCH_URL="https://localhost:9200"
5
AUTH="admin:admin"
6
REPO_NAME="wazuh_backup"
7
SNAPSHOT_NAME="snapshot_$(date +%Y%m%d_%H%M%S)"
8
RETENTION_DAYS=7
9

10
echo "Creating snapshot: $SNAPSHOT_NAME"
11

12
# Create snapshot
13
curl -XPUT "$OPENSEARCH_URL/_snapshot/$REPO_NAME/$SNAPSHOT_NAME?wait_for_completion=false" \
14
    -u $AUTH \
15
    -k \
16
    -H 'Content-Type: application/json' \
17
    -d '{
18
  "indices": "wazuh-*",
19
  "ignore_unavailable": true,
20
  "include_global_state": false
21
}'
22

23
# Check snapshot status
24
sleep 5
25
while true; do
26
    STATUS=$(curl -s -k -u $AUTH "$OPENSEARCH_URL/_snapshot/$REPO_NAME/$SNAPSHOT_NAME" | \
27
        jq -r '.snapshots[0].state')
28

29
    if [ "$STATUS" = "SUCCESS" ]; then
30
        echo "Snapshot completed successfully"
31
        break
32
    elif [ "$STATUS" = "FAILED" ]; then
33
        echo "Snapshot failed!"
34
        exit 1
35
    else
36
        echo "Snapshot in progress..."
37
        sleep 10
38
    fi
39
done
40

41
# Clean up old snapshots
42
echo "Cleaning up old snapshots..."
43
CUTOFF_DATE=$(date -d "$RETENTION_DAYS days ago" +%Y%m%d)
44

45
curl -s -k -u $AUTH "$OPENSEARCH_URL/_snapshot/$REPO_NAME/_all" | \
46
    jq -r '.snapshots[].snapshot' | \
47
    while read snapshot; do
48
        SNAPSHOT_DATE=$(echo $snapshot | grep -oP 'snapshot_\K\d{8}')
49
        if [ "$SNAPSHOT_DATE" -lt "$CUTOFF_DATE" ]; then
50
            echo "Deleting old snapshot: $snapshot"
51
            curl -XDELETE "$OPENSEARCH_URL/_snapshot/$REPO_NAME/$snapshot" \
52
                -u $AUTH -k
53
        fi
54
    done

3. Restore Procedure#

1
# List available snapshots
2
curl -s -k -u admin:admin \
3
    "https://localhost:9200/_snapshot/wazuh_backup/_all?pretty"
4

5
# Restore specific snapshot
6
curl -XPOST "https://localhost:9200/_snapshot/wazuh_backup/snapshot_20250105_120000/_restore" \
7
    -u admin:admin \
8
    -k \
9
    -H 'Content-Type: application/json' \
10
    -d '{
11
  "indices": "wazuh-alerts-*",
12
  "ignore_unavailable": true,
13
  "include_global_state": false,
14
  "rename_pattern": "(.+)",
15
  "rename_replacement": "restored_$1"
16
}'

Troubleshooting#

Common Issues and Solutions#

High Memory Usage

1
# Check memory usage
2
curl -s -k -u admin:admin \
3
    "https://localhost:9200/_nodes/stats/jvm?pretty" | \
4
    jq '.nodes[].jvm.mem'
5

6
# Clear field data cache
7
curl -XPOST -k -u admin:admin \
8
    "https://localhost:9200/_cache/clear?fielddata=true"

Slow Queries

1
# Enable slow log
2
curl -XPUT "https://localhost:9200/wazuh-alerts-*/_settings" \
3
    -u admin:admin -k \
4
    -H 'Content-Type: application/json' \
5
    -d '{
6
  "index.search.slowlog.threshold.query.warn": "10s",
7
  "index.search.slowlog.threshold.query.info": "5s",
8
  "index.search.slowlog.threshold.query.debug": "2s",
9
  "index.search.slowlog.level": "info"
10
}'

Disk Space Issues

1
# Check disk usage
2
curl -s -k -u admin:admin \
3
    "https://localhost:9200/_cat/allocation?v&h=node,disk.used,disk.avail,disk.percent"
4

5
# Force merge old indices
6
curl -XPOST -k -u admin:admin \
7
    "https://localhost:9200/wazuh-alerts-4.x-2024.*/_forcemerge?max_num_segments=1"

Log Locations#

OpenSearch logs: /var/log/opensearch/wazuh-cluster.log
GC logs: /var/log/opensearch/gc.log
Slow logs: /var/log/opensearch/wazuh-cluster_index_search_slowlog.log

Integration with Wazuh#

Configure Wazuh Manager#

Edit /var/ossec/etc/ossec.conf:

1
<ossec_config>
2
  <indexer>
3
    <enabled>yes</enabled>
4
    <hosts>
5
      <host>https://your-opensearch-host:9200</host>
6
    </hosts>
7
    <username>wazuh</username>
8
    <password>MySecurePassword123!</password>
9
    <ssl>
10
      <certificate_authorities>
11
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
12
      </certificate_authorities>
13
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
14
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
15
    </ssl>
16
  </indexer>
17
</ossec_config>

Configure Filebeat#

Edit /etc/filebeat/filebeat.yml:

1
output.elasticsearch:
2
  hosts: ["https://your-opensearch-host:9200"]
3
  protocol: "https"
4
  username: "wazuh"
5
  password: "MySecurePassword123!"
6
  ssl.certificate_authorities: ["/etc/filebeat/certs/root-ca.pem"]
7
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
8
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
9
  ssl.verification_mode: "none"

Maintenance Tasks#

Daily Tasks#

Monitor cluster health and disk usage
Check for failed shards
Review slow query logs

Weekly Tasks#

Analyze index patterns and optimize mappings
Review and update index lifecycle policies
Check backup success rate

Monthly Tasks#

Update OpenSearch and plugins
Review and optimize JVM settings
Audit user permissions and access logs
Performance benchmarking

Conclusion#

This guide provides a comprehensive approach to deploying and managing OpenSearch as a Wazuh indexer. Regular monitoring, proper backup procedures, and performance optimization are key to maintaining a healthy and efficient SIEM infrastructure.

For more information, refer to: