Skip to main content

Overview

Wazuh Dashboard provides a powerful web interface for security monitoring, threat detection, and compliance management. This guide will help you get started with the dashboard and understand its core features.

What is Wazuh Dashboard?

Wazuh Dashboard is the visualization and management interface for the Wazuh security platform. It enables you to:
  • Monitor security events in real-time
  • Analyze threats and vulnerabilities
  • Manage agents across your infrastructure
  • Track compliance with regulatory standards
  • Visualize security data through interactive dashboards

First Steps

1

Access the Dashboard

Navigate to your Wazuh Dashboard URL (typically https://your-server:443) and log in with your credentials.The default credentials are:
  • Username: admin
  • Password: admin (change this immediately after first login)
2

Understand the Layout

The dashboard interface consists of several key areas:
  • Top Navigation Bar: Access to global search, time picker, and user settings
  • Left Sidebar: Main navigation menu for modules and features
  • Main Content Area: Displays dashboards, visualizations, and data tables
  • Agent Selector: Quick access to switch between agents (when available)
3

Configure Your First API Connection

Before you can view data, ensure your Wazuh API is properly configured:
  1. Go to Server Management > API Configuration
  2. Click Add new API
  3. Enter your API details:
    • Cluster/Manager name
    • URL (e.g., https://your-wazuh-manager:55000)
    • Port (default: 55000)
    • Username and password
  4. Click Save to test the connection
4

Verify Index Patterns

Wazuh uses index patterns to access data:
  • wazuh-events-*: Default index pattern for security events
  • wazuh-states-*: Index patterns for agent state information
The dashboard automatically creates these patterns during initial setup.
The left sidebar organizes features into logical groups:
Manage your Wazuh server infrastructure:
  • Statistics: View server performance metrics
  • Cluster Management: Monitor cluster nodes and status
  • API Configuration: Configure API connections
  • Settings: Server and agent configuration
Monitor and control deployed agents:
  • Agents Overview: View all registered agents
  • Agent Summary: Detailed information for individual agents
  • Deploy New Agent: Wizard for agent deployment
  • Groups: Organize agents into logical groups
Security monitoring and analysis:
  • Security Events: Real-time security event stream
  • Threat Hunting: Advanced threat detection dashboards
  • Malware Detection: Monitor malware detection events
  • MITRE ATT&CK: Map detections to MITRE framework
Regulatory compliance modules:
  • PCI DSS: Payment Card Industry compliance
  • GDPR: General Data Protection Regulation
  • HIPAA: Healthcare compliance monitoring
  • NIST 800-53: NIST framework compliance
  • TSC: Trust Services Criteria
System monitoring and vulnerability management:
  • Vulnerability Detection: Identify security vulnerabilities
  • File Integrity Monitoring: Track file changes
  • Security Configuration Assessment: SCA policy monitoring
  • System Inventory: Hardware and software inventory
Cloud platform monitoring:
  • Amazon Web Services: AWS security monitoring
  • Google Cloud: GCP event analysis
  • Azure: Microsoft Azure monitoring
  • Office 365: Office 365 security events
  • GitHub: GitHub security monitoring
  • Docker: Container security monitoring

Using the Time Picker

The time picker in the top navigation bar controls the time range for all data displays:
  1. Click the time selector (shows current range, e.g., “Last 15 minutes”)
  2. Choose from quick ranges:
    • Last 15 minutes
    • Last 1 hour
    • Last 24 hours
    • Last 7 days
    • Last 30 days
  3. Or set a custom range with specific start and end times
  4. Enable Auto-refresh to update data automatically
The time picker affects all dashboards and visualizations. Always verify your time range when investigating specific events.

Search and Filter

Most views include a search bar powered by OpenSearch Query Language: 
// Search for specific rule ID
rule.id:5503

// Search for events from a specific agent
agent.name:"web-server-01"

// Combine conditions
rule.level:>=10 AND rule.groups:"authentication_failed"

// Search within a field
data.srcip:192.168.1.*

Applying Filters

1

Click on a Value

In any data table or visualization, click on a value to see filter options.
2

Choose Filter Action

  • Filter for value: Show only records with this value
  • Filter out value: Exclude records with this value
  • Exists: Show records where this field exists
3

Manage Active Filters

Active filters appear below the search bar:
  • Click the X to remove a filter
  • Click the filter to edit or invert it
  • Use Disable to temporarily deactivate without removing

Working with Agents

Agent Selector

Many modules include an agent selector that allows you to:
  1. View All Agents: See aggregated data across your infrastructure
  2. Pin Specific Agent: Focus on a single agent’s data
  3. Switch Agents: Quickly change between agents

Agent Status Indicators

  • Active (green): Agent is connected and reporting
  • Disconnected (red): Agent is not communicating
  • Never Connected (gray): Agent registered but never connected
  • Pending (orange): Agent registration pending

Customizing Your Experience

Dashboard Preferences

Configure your dashboard experience:
  1. Click your username in the top right
  2. Select Settings or Advanced Settings
  3. Adjust preferences:
    • Default time range
    • Refresh interval
    • Theme (light/dark)
    • Date format
    • Timezone

Saved Searches and Filters

Save frequently used searches:
  1. Configure your search and filters
  2. Click Save in the search bar
  3. Provide a descriptive name
  4. Load saved searches from the dropdown menu

Understanding Dashboards

Dashboard Components

Each module provides pre-built dashboards with:
  • Visualizations: Charts, graphs, and metrics
  • Data Tables: Detailed event listings
  • Statistics Panels: Key performance indicators
  • Heat Maps: Geographic or temporal patterns

Interacting with Visualizations

Click on any visualization element to automatically filter the entire dashboard:
  • Click a bar in a bar chart
  • Select a pie slice
  • Click a point on a line graph
Hover over visualization elements to see detailed tooltips with exact values and additional context.
Click the expand icon to view a visualization in full-screen mode for detailed analysis.
Use the export option to download visualization data in various formats (CSV, JSON).

Health Check and Troubleshooting

Wazuh Dashboard includes a health check system that monitors:
  • API Connectivity: Ensures server API is accessible
  • Index Patterns: Verifies index patterns are configured
  • Sample Data: Confirms data is flowing correctly
  • Notification Channels: Checks alerting configuration
If you see health check warnings or errors:
  1. Review the specific error message
  2. Check API configuration in Server Management
  3. Verify index patterns exist
  4. Ensure agents are connected and reporting
  5. Check server logs for detailed error information

Quick Tips for New Users

Start with Overview

Begin your investigation in the Overview section of each module to understand overall security posture before diving into details.

Use Time Context

Always set an appropriate time range for your investigation. Recent incidents require narrow ranges; trend analysis needs wider ranges.

Pin Important Agents

Use the agent selector to pin critical servers or workstations for focused monitoring.

Bookmark Useful Views

Add frequently used dashboards to your browser bookmarks for quick access.

Next Steps

Now that you understand the basics, explore these guides:

Common Tasks Quick Reference

TaskNavigation Path
View security eventsSecurity Events > Dashboard
Check agent statusAgents > Overview
Deploy new agentAgents > Deploy New Agent
Run threat huntThreat Hunting > Dashboard
Check vulnerabilitiesVulnerabilities > Dashboard
Review compliance[Module] > Compliance (e.g., PCI DSS)
Configure serverServer Management > Settings
Manage APIServer Management > API Configuration

Getting Help

If you need assistance:
The Wazuh community is active and helpful. Don’t hesitate to ask questions on Slack or the forum!

Build docs developers (and LLMs) love

Get started for freeTalk to us