DebianDebian Based

How To Install Wazuh on Debian 13

r00t
8 minutes read

Install Wazuh on Debian 13

Cyber threats are evolving faster than ever. Whether you manage a single server or an entire network, having a real-time security monitoring system in place is no longer optional — it is essential. Wazuh is one of the most powerful free and open-source security platforms available today, combining SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) into one unified solution. This guide walks through exactly how to install Wazuh on Debian 13 “Trixie,” from system preparation to a fully operational dashboard.

What Is Wazuh?

Wazuh is a free, open-source unified security platform designed to protect workloads across on-premises, cloud, containerized, and virtualized environments. It brings together threat detection, log analysis, file integrity monitoring (FIM), vulnerability scanning, and regulatory compliance into a single, cohesive platform.

Unlike commercial SIEM tools that can cost thousands per year, Wazuh delivers enterprise-grade capabilities at no cost. It is actively maintained, thoroughly documented, and trusted by organizations ranging from small businesses to large enterprises.

  • Intrusion detection and prevention — identifies malicious activity in real time
  • Log data analysis — collects and correlates logs from all monitored endpoints
  • File integrity monitoring (FIM) — tracks unauthorized changes to critical system files
  • Vulnerability detection — cross-references installed packages against CVE databases
  • Regulatory compliance — supports PCI DSS, HIPAA, GDPR, and more
  • Active response — automatically blocks or remediates threats based on triggered rules

Why Install Wazuh on Debian 13?

Debian 13 “Trixie,” officially released in August 2025, is a strong foundation for any production server workload. It ships with Linux Kernel 6.12 with PREEMPT_RT support — making it exceptionally stable for long-running, resource-intensive services like Wazuh.

The new APT 3.0 with Solver3 dependency resolution engine ensures cleaner, more reliable package installations. Under-the-hood security hardening — including Intel CET, ARM PAC/BTI, and ROP/JOP protection — complements Wazuh’s monitoring goals perfectly. The combination of a hardened OS and a proactive open-source security monitoring platform creates an ideal cybersecurity environment.

Understanding Wazuh Core Components

Before beginning the installation, it helps to understand what gets installed and why. Wazuh’s architecture consists of three central server-side components and one lightweight agent.

Wazuh Indexer

The Wazuh Indexer stores and indexes all security alerts and events. It is based on OpenSearch and can be deployed as a single node or in a multi-node cluster for high availability. Think of it as the database layer of the entire platform.

Wazuh Manager (Server)

The Wazuh Manager is the processing engine. It receives raw data from deployed agents, runs detection rules, correlates events, and generates alerts. Built on the OSSEC engine, it is the brain of the entire security operation.

Wazuh Dashboard

The Wazuh Dashboard is the web-based interface built on OpenSearch Dashboards. It provides a clean UI for visualizing security events, managing agents, customizing detection rules, and interacting with the Wazuh REST API — all from a browser.

Wazuh Agent

The Wazuh Agent is a lightweight client installed on monitored endpoints. It supports Linux, Windows, and macOS. The agent collects logs, runs configuration assessments, monitors file integrity, and reports everything back to the Wazuh Manager.

This guide covers the All-in-One (AIO) deployment — all three central components installed on a single Debian 13 server. This setup is suitable for monitoring up to 100 endpoints.

Prerequisites and System Requirements

Getting the environment right before running a single command will save significant time and headache later.

Hardware Requirements

Resource Minimum Recommended
RAM 4 GB 8–16 GB
CPU Cores 2 4–8
Disk Space 50 GB 100 GB+
Architecture 64-bit (x86_64 or ARM64) 64-bit

The 50 GB minimum covers approximately 90 days of indexed alert data for up to 100 agents. Scale storage accordingly for larger deployments or longer retention periods.

Software Requirements

  • Debian 13 “Trixie” — freshly installed with a base configuration
  • Root or sudo privileges on the system
  • Active internet connection for downloading packages
  • curl installed (usually available by default on Debian)

Required Open Ports

Port Protocol Purpose
443 HTTPS Wazuh Dashboard web access
9200 HTTPS Wazuh Indexer API
1514 TCP/UDP Agent-to-Manager communication
1515 TCP Automatic agent enrollment
55000 TCP Wazuh Manager REST API

Step 1 — Update and Upgrade Debian 13

Always begin with a fully updated system. This prevents dependency conflicts during the Wazuh installation process.

sudo apt update && sudo apt upgrade -y

Once complete, verify the Debian version to confirm you are running Trixie:

lsb_release -a

If a kernel update was applied, reboot the server before continuing:

sudo reboot

Step 2 — Install Required Dependencies

Wazuh requires several system libraries and utilities to function correctly. Install them all in a single command:

sudo apt install -y curl apt-transport-https gnupg2 wget unzip \
libcap2-bin software-properties-common lsb-release debhelper

Here is what each package does:

  • curl / wget — download Wazuh scripts and configuration files
  • gnupg2 — verifies the GPG signature of the Wazuh repository
  • apt-transport-https — allows APT to fetch packages over HTTPS
  • libcap2-bin — required specifically by the Wazuh Indexer component
  • debhelper — assists with Debian package build and configuration routines

Confirm no errors are reported before moving forward.

Step 3 — Add the Wazuh APT Repository

Wazuh maintains its own signed APT repository. Adding it ensures access to the latest stable releases directly from the source.

Import the official Wazuh GPG signing key:

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | \
sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg

Add the Wazuh repository to APT sources:

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] \
https://packages.wazuh.com/4.x/apt/ stable main" | \
sudo tee /etc/apt/sources.list.d/wazuh.list

Refresh the package cache to pull in the new repository index:

sudo apt update

This step guarantees that every Wazuh package installed is cryptographically signed and official — not a third-party or outdated build.

Step 4 — Download the Wazuh Installation Script

For all-in-one deployments, the official wazuh-install.sh script handles the entire setup automatically. Download and prepare it:

curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
chmod 744 wazuh-install.sh

Before executing, optionally review the script contents for transparency:

cat wazuh-install.sh | less

Reviewing third-party scripts before running them as root is a sound security practice — even for trusted sources.

Step 5 — Run the All-in-One Wazuh Installation

This is the core installation step. The -a flag triggers the all-in-one deployment, which installs and configures the Wazuh Indexer, Wazuh Manager, Filebeat, and Wazuh Dashboard in sequence:

sudo bash ./wazuh-install.sh -a

The script performs the following actions automatically:

  • Generates SSL/TLS certificates for all components
  • Installs and configures the Wazuh Indexer (OpenSearch-based)
  • Installs and configures the Wazuh Manager (OSSEC-based engine)
  • Installs and configures Filebeat for log forwarding
  • Installs and configures the Wazuh Dashboard (port 443 HTTPS)
  • Initializes the internal security system and user database

Installation typically takes 10 to 20 minutes depending on available system resources. Once complete, the terminal will display the admin credentials. Save these immediately. They are also stored at:

/root/wazuh-install-files.tar

To retrieve the admin password at any time after installation:

sudo tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "'admin'" -A 1

If a port conflict exists on 443, append -p <custom-port> to the installation command.

Step 6 — (Advanced) Install Wazuh Indexer Manually

For users who prefer granular control — or plan to scale to a multi-node cluster — the manual installation method offers more flexibility.

sudo apt install wazuh-indexer

Download the certificate generation tool and its configuration template:

curl -sO https://packages.wazuh.com/4.x/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.x/config.yml

Edit config.yml to set the correct node name and IP address, then generate certificates:

sudo bash ./wazuh-certs-tool.sh -A

Configure /etc/wazuh-indexer/opensearch.yml with the node IP, then initialize and start the service:

sudo systemctl enable --now wazuh-indexer
sudo /usr/share/wazuh-indexer/bin/indexer-security-init.sh

Step 7 — (Advanced) Install Wazuh Manager and Filebeat

Install the Wazuh Manager, which serves as the central processing and alert engine:

sudo apt install wazuh-manager
sudo systemctl enable --now wazuh-manager

Install Filebeat and configure it to forward processed alerts from the Manager to the Indexer:

sudo apt install filebeat
curl -so /etc/filebeat/filebeat.yml \
https://packages.wazuh.com/4.x/tpl/wazuh/filebeat/filebeat.yml
sudo filebeat modules enable wazuh
sudo systemctl enable --now filebeat

Step 8 — (Advanced) Install Wazuh Dashboard

Install the Wazuh Dashboard package:

sudo apt install wazuh-dashboard

Edit the dashboard configuration file at /etc/wazuh-dashboard/opensearch_dashboards.yml. Set opensearch.hosts to the Indexer’s IP and port 9200, and set server.host to 0.0.0.0 or the server’s IP address. Deploy the SSL certificate generated earlier, then start the service:

sudo systemctl enable --now wazuh-dashboard

The Wazuh Dashboard listens on port 443 over HTTPS by default.

Step 9 — Start and Enable All Wazuh Services

Whether using the automated script or the manual approach, reload systemd and confirm all services are active:

sudo systemctl daemon-reload
sudo systemctl status wazuh-indexer wazuh-manager filebeat wazuh-dashboard

All four services should report active (running) status. If any service has failed, check the journal immediately:

journalctl -xe -u wazuh-manager

Verifying the Installation

Check that all required ports are listening correctly:

ss -tlnp | grep -E '443|9200|1514|1515|55000'

Test the Wazuh Indexer API directly to confirm it is healthy and responding:

curl -k -u admin:<your-password> https://localhost:9200

A JSON response containing cluster and node information confirms a successful installation. Review the Manager’s operational log for any warnings:

tail -f /var/ossec/logs/ossec.log

Accessing the Wazuh Dashboard

Open a browser and navigate to your server’s IP address over HTTPS:

https://<your-server-ip>

A browser warning about a self-signed certificate is expected. Click Advanced > Accept the Risk and Continue (or equivalent in your browser). Log in using the admin credentials retrieved during installation. On first login, Wazuh verifies API and service connectivity before loading the main dashboard.

The dashboard overview displays real-time security event counts, agent status summaries, active threat detections, and top-triggered detection rules — all at a glance.

Deploying a Wazuh Agent on a Debian Endpoint

With the server running, the next step is connecting endpoints. From the Dashboard, navigate to Agents > Deploy New Agent, select DEB (Debian/Ubuntu), choose the architecture, and enter the Wazuh Manager IP. Copy the generated one-liner and run it on the target endpoint:

WAZUH_MANAGER="<server-ip>" sudo apt install wazuh-agent

For manual enrollment, install the agent, then configure the server address in the agent config:

sudo sed -i 's/MANAGER_IP/<server-ip>/' /var/ossec/etc/ossec.conf

Enroll the agent with the manager:

sudo /var/ossec/bin/agent-auth -m <server-ip>

Enable and start the agent service:

sudo systemctl enable --now wazuh-agent

Verify it connected successfully:

tail -f /var/ossec/logs/ossec.log | grep "Connected"

The agent should appear as Active in the Wazuh Dashboard within a few seconds. For large-scale deployments, Wazuh supports two official enrollment methods: enrollment via agent configuration (recommended) and enrollment via the Manager REST API.

Post-Installation Best Practices

A working installation is just the starting point. Harden and maintain it properly:

  • Change the default admin password — navigate to Dashboard > Security > Internal Users and update the admin password immediately
  • Configure UFW firewall — allow only the required ports; deny everything else with sudo ufw enable
  • Schedule regular backups — back up /var/ossec/ and Wazuh Indexer snapshots periodically
  • Enable email alerting — configure SMTP in /var/ossec/etc/ossec.conf under the <global> block for real-time threat notifications
  • Keep Wazuh updated — run upgrades regularly to stay ahead of newly discovered vulnerabilities:
sudo apt update && sudo apt install --only-upgrade \
wazuh-manager wazuh-indexer wazuh-dashboard
  • Monitor disk usage — plan storage allocation carefully based on the number of agents, alert volume, and retention policy

Troubleshooting Common Issues

Problem Solution
Dependency errors during install Run sudo apt --fix-broken install; ensure libcap2-bin and debhelper are present
Service fails to start Check journalctl -xe and /var/ossec/logs/ossec.log for specific error messages
Port conflict on 443 or 9200 Use ss -tlnp to identify the conflicting service; stop or reconfigure it
Dashboard unreachable Run sudo ufw allow 443/tcp and confirm the dashboard service is active
Agent not connecting Open ports 1514 and 1515 on the server firewall; check agent logs at /var/ossec/logs/ossec.log
TLS or certificate errors Regenerate certificates using bash ./wazuh-certs-tool.sh -A and redeploy to all components
wazuh-install-files.tar not found Re-run the install script with sudo bash ./wazuh-install.sh -g to regenerate config files

Congratulations! You have successfully installed Wazuh. Thanks for using this tutorial for installing Wazuh on your Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official Wazuh website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
8 minutes read
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button