The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities.
The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names or properties, with their corresponding values which can be strings, numbers, booleans, dates, arrays of values, geolocations, or other types of data.
An index is a collection of documents that are related to each other. The documents stored in the Wazuh indexer are distributed across different containers known as shards. By distributing the documents across multiple shards, and distributing those shards across multiple nodes, the Wazuh indexer can ensure redundancy.
Wazuh uses four different indices to store different event types:
Index | Description |
wazuh‑alerts | Stores alerts generated by the Wazuh server. These are created each time an event trips a rule with a high enough priority (this threshold is configurable). |
wazuh‑archives | Stores all events (archive data) received by the Wazuh server, whether or not they trip a rule. |
wazuh‑monitoring | Stores data related to the Wazuh agent status over time. It is used by the web interface to represent when individual agents are or have been Active, Disconnected, or Never connected. |
wazuh‑statistics | Stores data related to the Wazuh server performance. It is used by the web interface to represent the performance statistics. |
The Wazuh indexer is well suited for time-sensitive use cases like security analytics and infrastructure monitoring as it is a near real-time search platform. The latency from the time a document is indexed until it becomes searchable is very short, typically one second.
In addition to its speed, scalability, and resiliency, the Wazuh indexer has several built-in features that make storing and searching data even more efficient, such as data rollups, alerting, anomaly detection, and index lifecycle management.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article