learn-cyber · lesson 3 · hands-on lab

Stand up your Wazuh server

Your first real build — one host running the whole stack: server, indexer, and dashboard. Log in by the end, and you've got the engine your MSSP runs on.

Your mission You're building an MSSP to monitor hotels with Wazuh. This lab is your practice rig — and it mirrors exactly what you'll deploy for your first small hotel client. Everything you do here, you'll do again on real hardware, just with proper certificates and more agents.

What you're building today

In Lesson 2 you met Wazuh's four parts — server (the brain), indexer (the searchable store), dashboard (your screen), and agents (the collectors on each device). Today you install the first three on a single host using Wazuh's Quickstart all-in-one installer.¹

Key idea The all-in-one install puts server, indexer, and dashboard on one machine. It's perfect for a lab — and genuinely fine for your first small hotel client. A single node comfortably handles roughly up to 100 agents and about 90 days of data: enough for your first few small hotels.

Forward-reference: as you onboard more hotels you'll split these roles across machines and cluster them. You don't need that yet — and the install you do today is the foundation you'll grow from, not throwaway work.

Before you start — prerequisites

A 64-bit Linux host or VM (Ubuntu or CentOS are both well-trodden paths).
Recommended: ~4 vCPU and 8 GiB RAM. A tiny test lab will boot on 2 vCPU / 4 GiB — treat that as the absolute floor, not a target.
Root or sudo on that host.
Network access to the host on port 443 (the dashboard), and outbound internet to download the installer.

The build, step by step

Follow this checklist in order. Every command is the exact one to run.

Spin up the VM, update it, and confirm the specs. Fresh box, patched, then look at what you've actually got:
```
sudo apt update && sudo apt -y upgrade   # Ubuntu; use dnf on CentOS
free -h     # check RAM — want ~8 GiB
nproc       # check vCPU count — want ~4
```
If free -h shows under 4 GiB or nproc shows 1, the installer may stall or the indexer may fail to start. Size up before you continue.
Download the install assistant. This single script does the whole all-in-one for you:
```
curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
```
4.x is the current major line. The exact patch version moves — check the Quickstart page for the latest version string before you run a production install.
Run the all-in-one install. The -a flag is the one that says "everything on this one host":
```
sudo bash ./wazuh-install.sh -a
```
It'll take several minutes — it installs the indexer, the server, the dashboard, and wires them together with self-signed certificates.
Save the admin password — it's shown once. When the installer finishes it prints the generated admin credentials. Copy them somewhere safe now; the password is shown a single time:
```
INFO: --- Summary ---
INFO: You can access the web interface https://<server-ip>
    User: admin
    Password: <a-long-generated-string>
```
Lost it? You can recover the credentials later from the archive the installer leaves behind:
```
sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
```
Open the dashboard and log in. Point a browser at your host on port 443:
```
https://<server-ip>/
```
You'll hit a certificate warning — that's the self-signed cert. Accept it and proceed, then log in as admin with the password you saved.
Verify the three services are healthy. Back on the host, confirm all three are active (running):
```
sudo systemctl status wazuh-manager wazuh-indexer wazuh-dashboard
```

Certs: fine for the lab, not for a hotel The self-signed certificates the installer generates are fine for this lab — the browser warning is expected and harmless here. For a real hotel client you'd replace them with proper TLS certificates so staff and clients never see a scary warning, and so traffic is verifiably trusted. We'll cover that when you onboard a real site.

Troubleshooting — dashboard won't load? Give it a minute: the indexer takes time to start up the first time, and the dashboard can't show anything until the indexer is ready. If it's still blank after a couple of minutes, check the three services with the systemctl status command above — usually wazuh-indexer is the one still warming up (or it ran out of RAM).

Check yourself

Answer from memory before scrolling back. Retrieval is what makes the commands stick when you're doing this on a real hotel box at 2am.

Question 1 of 3

Which flag tells wazuh-install.sh to install the whole stack on one host?

-a is the all-in-one: server, indexer, and dashboard together. The split-role flags (-i, -s, -d) are for the clustered, multi-machine install you'll grow into later — not what you want for a lab or a first small hotel.

Question 2 of 3

Roughly how much can this single all-in-one node handle before you need to scale out?

One all-in-one node handles roughly up to 100 agents and about 90 days of data — plenty for your first few small hotels. Past that you split roles across machines and cluster, which is a later lesson.

Question 3 of 3

After the install finishes, where do you log in — and as whom?

The dashboard lives at https://<server-ip>/ on port 443. You log in as admin with the generated password the installer printed once at the end — which is exactly why you saved it.

Primary source to read next
Wazuh — Quickstart. This is the official all-in-one install guide — the same steps you just ran, plus the current version string and the full sizing recommendations. Bookmark it; you'll come back to it every time you stand up a new node.

I'm your teacher — ask me anything. Installer stalled? Dashboard showing a blank screen? Not sure whether your VM is big enough? Paste the error or the systemctl status output into the chat and we'll work it out together. Debugging a real install is the most useful thing you can practice right now.

You just earned: a working single-node Wazuh you can log into — server, indexer, and dashboard, all running. The brain of your MSSP is alive.

Up next (Lesson 4): deploy your first agent onto a second machine, then trigger a real attack and watch Wazuh raise the alert — the Lesson-1 pipeline, made real in front of you.

← Prev: Lesson 2 — Wazuh architecture · Next: Lesson 4 — First agent & detection →

Reference: Glossary · All resources · Mission