Lesson 2 — Wazuh's four parts

A precise mental model of the machine you'll be selling — name each component, say what it does, and trace one hotel's data all the way through.

Your mission Your MSSP runs on exactly one piece of software: Wazuh. Before you stand it up in Lesson 3, you need to know its anatomy — the four parts, what each one is for, and how they hand work to each other. This is the map you'll point at when a hotel owner asks "so what am I paying for?"

From pipeline to product

In Lesson 1 you learned the pipeline: Collect → Decode → Match rules → Alert → Triage. That was the idea. Wazuh is the thing that does it, and it's split into four components — each one owning a stretch of that pipeline.¹

The four parts, mapped to the pipeline

Here's the shape. Each box is one component; the label under it is the pipeline step it owns.

1. The agent — eyes on each device

The agent is lightweight software you install on each monitored endpoint: servers, laptops, VMs, POS terminals. At a hotel that's the front-desk PCs, the PMS server, the back-office machines. The agent reads that device's logs, watches its files for tampering (File Integrity Monitoring), checks its configuration and known vulnerabilities, and forwards everything to the server.¹ It is the Collect step made real — one agent per device.

Lightweight is the selling point. The agent sips CPU and memory, so it can sit on a busy POS terminal at the hotel bar without slowing the line at checkout.

2. The server (manager) — the brain

The server, also called the manager, receives data from every agent across all your hotels. It runs the decoders and rules that pull fields from each line and decide what's worth an alert, it enrolls and manages the agents, and it exposes the Wazuh API that everything else talks to.¹ This single component owns three pipeline steps: Decode, Match rules, and Alert.

3. The indexer — fast, searchable memory

The indexer is a search-and-storage engine (built on OpenSearch). The server hands it every alert and event, and it stores them in a way that's fast to search and aggregate.¹ This is the component that answers historical questions: "every failed login at the Marriott last week," or "which POS terminal saw new malware on Tuesday." Without it, you'd have alerts but no memory.

4. The dashboard — where you work

The dashboard is the web UI (built on OpenSearch Dashboards). It's where the analyst visualizes alerts, investigates an incident, and manages the whole deployment.¹ This is the Triage step — the screen you'll be staring at when an alert fires at 2 a.m. for a hotel three time zones away.

How data actually flows

The components don't just sit there — they hand data along in a fixed order. Trace one event from a hotel firewall-protected network all the way to your screen:

Keep the ports light, but know them — they come up the moment something won't connect: 1514 carries agent → manager events, 1515 is the enrollment service that hands out the key, and 443 is HTTPS to the dashboard in your browser.

When a device can't run an agent

Here's the catch that bites every MSSP: not every hotel device can take an agent. The hotel's firewall, its managed network switches, and some sealed POS appliances are closed boxes — you can't install software on them. But they produce exactly the logs you most want.

Wazuh handles these with agentless monitoring: the device sends its logs to the server over syslog, or the server polls the device over SSH or an API.¹ So a hotel's firewall can forward its blocked-connection logs by syslog and you'll see them in the same dashboard as everything else — no agent required.

Why this matters for hotels A hotel's firewall and switches sit at the perimeter — the first thing an attacker touches. Those are the devices you can't put an agent on, so agentless ingestion (syslog/SSH/API) isn't a nice-to-have. It's how you cover the front door.

One host now, a cluster later

You don't need four servers to start. For a small deployment, all four components run on a single host — the all-in-one install you'll do in Lesson 3.² That's plenty for your first hotel or three.

As your MSSP grows and you add clients, the load grows too. At scale, the indexer and the server can each be clustered across multiple nodes — many machines acting as one — so the system keeps up with millions of events from dozens of hotels.² The mental model stays identical; you're just running more copies of the same four parts.

Start single-node, cluster later. Keeping many hotels' data cleanly separated on one deployment is its own skill — agent groups, RBAC, dashboard tenants — and it gets its own lesson further on.

What the agent and server give you

You don't need to master these yet — just learn the names, so you recognize them when they show up in the dashboard later. The agent + server together provide:³

Check yourself

Retrieval practice — answering from memory is what makes this stick. Don't peek back up; take the guess.

Question 1 of 3

A new alert needs to be decoded, scored against rules, and raised. Which Wazuh component does all three?

The server (manager) is the brain: it runs decoders and rules, generates alerts, enrolls agents, and exposes the API. The agent only collects; the indexer only stores.

Question 2 of 3

The hotel's firewall can't run agent software. How does Wazuh take in its logs anyway?

That's agentless monitoring: the device forwards logs by syslog, or the server polls it over SSH/API. It's how you cover closed boxes like firewalls and switches that can't take an agent.

Question 3 of 3

You ask "every failed login at the Marriott last week." Which component makes that historical search fast?

The indexer (built on OpenSearch) stores alerts and events and makes them fast to search and aggregate. The server analyzes in the moment; the indexer is the searchable memory.

Primary source to read next
Wazuh — Components. This is the canonical description of the four parts and how they connect (10 min). Read it now that you have the map in your head — it will click. For the capabilities list, skim Getting Started (FIM, SCA, vulnerability detection, MITRE, Active Response).

I'm your teacher — ask me anything. Fuzzy on why enrollment happens before events? Wondering which hotel devices are agent vs. agentless? Want me to draw the single-node-to-cluster jump in more detail? Ask in the chat — that back-and-forth is where the real learning happens.

You just earned: the four components — agent, server, indexer, dashboard — what each does, how data flows through them, when you need agentless monitoring, and the single-node vs. clustered choice. You can now name every part and trace a hotel's data end to end.

Up next (Lesson 3): stand it up for real — the all-in-one install, then enroll your first agent and watch a live event travel the pipeline you just mapped.

Reference: Glossary · All resources · Mission

← Lesson 1: From event to alert · Lesson 3: Stand up the Wazuh server →

Wazuh — Components (agent · server · indexer · dashboard; agentless via syslog/SSH/API).
Wazuh — Quickstart (all-in-one single-node install and sizing).
Wazuh — Getting Started (capabilities: log analysis, FIM, SCA, vulnerability detection, MITRE ATT&CK, Active Response).