Skip to main content

Introduction

Wazuh Dashboard Plugins is a modular plugin-based system built on top of OpenSearch Dashboards. The architecture follows a multi-plugin design pattern where specialized plugins work together to provide comprehensive security monitoring, threat detection, and compliance capabilities.

System Architecture

The Wazuh Dashboard Plugins system consists of three core plugins that work in harmony:

Plugin Hierarchy

The plugins have a clear dependency hierarchy designed for modularity and separation of concerns:

wazuh-core

Foundation plugin providing core services, configuration management, API client, and security utilities

wazuh-check-updates

Utility plugin for managing update notifications and version checking

wazuh (main)

Primary UI plugin providing all security modules, dashboards, and user-facing features

Core Components

Client-Server Architecture

Each plugin implements a dual-sided architecture:
Client-Side Components:
  • React-based UI components
  • Application routing and navigation
  • State management (Redux)
  • Data visualization and dashboards
  • Search bar and filtering
  • Plugin lifecycle management
export class WazuhPlugin implements Plugin<WazuhSetup, WazuhStart> {
  public async setup(core: CoreSetup, plugins: WazuhSetupPlugins) {
    // Register applications
    // Configure UI services
    // Initialize interceptors
  }

  public start(core: CoreStart, plugins: WazuhStartPlugins) {
    // Set up runtime services
    // Initialize navigation
    // Configure data plugins
  }
}

Plugin Details

wazuh-core Plugin

Manifest Configuration: 
{
  "id": "wazuhCore",
  "version": "5.0.0-00",
  "requiredPlugins": ["navigation", "opensearchDashboardsUtils"],
  "optionalPlugins": ["securityDashboards"],
  "server": true,
  "ui": true
}
Key Responsibilities:
  • Configuration management through multiple providers
  • Dashboard security integration
  • Server API client for Wazuh REST API
  • Host management for multi-cluster support
  • Shared utilities and helpers
Source Location: plugins/wazuh-core/

wazuh-check-updates Plugin

Manifest Configuration: 
{
  "id": "wazuhCheckUpdates",
  "version": "5.0.0-00",
  "requiredPlugins": [
    "navigation",
    "opensearchDashboardsUtils",
    "opensearchDashboardsReact",
    "wazuhCore"
  ],
  "server": true,
  "ui": true
}
Key Responsibilities:
  • Check for available updates
  • Display update notifications
  • Manage notification dismissal state
Source Location: plugins/wazuh-check-updates/

wazuh (Main) Plugin

Manifest Configuration: 
{
  "id": "wazuh",
  "version": "5.0.0-00",
  "requiredPlugins": [
    "navigation", "data", "dashboard", "embeddable",
    "discover", "inspector", "visualizations", "uiActions",
    "charts", "savedObjects", "opensearchDashboardsReact",
    "opensearchDashboardsUtils", "opensearchDashboardsLegacy",
    "wazuhCheckUpdates", "wazuhCore"
  ],
  "optionalPlugins": [
    "security", "securityDashboards", "searchguard",
    "telemetry", "notificationsDashboards", "alertingDashboards",
    "reportsDashboards"
  ],
  "server": true,
  "ui": true
}
Key Responsibilities:
  • All security module UIs and dashboards
  • Agent management interface
  • Server management and configuration
  • Security operations (RBAC, users, roles)
  • Threat detection and compliance modules
  • Sample data generation
  • Report generation
Source Location: plugins/main/

Application Categories

The main plugin organizes applications into logical categories:
Category IDOrderPurpose
wz-category-home0Home and overview dashboards
Explore100Data exploration and search
wz-category-endpoint-security200Endpoint protection modules
wz-category-threat-intelligence300Threat detection and analysis
wz-category-security-operations400Security operations and compliance
wz-category-cloud-security500Cloud service monitoring
wz-category-agents-management600Agent deployment and management
wz-category-server-management700Server configuration and logs
Indexer Management9000Index and data management

Data Flow

Event Processing Pipeline

1

Data Ingestion

Wazuh agents send events to the Wazuh Manager, which forwards them to OpenSearch Indexer
2

Indexing

Events are indexed into various index patterns based on event type (events, states, monitoring, statistics)
3

Visualization

Dashboard plugins query OpenSearch through the Data plugin API and render visualizations
4

API Interaction

User actions trigger API calls to Wazuh Server for management operations (agents, rules, decoders, etc.)

Request Flow Diagram

Integration Points

OpenSearch Dashboards Integration

The plugins integrate deeply with OpenSearch Dashboards platform services:
  • Data Plugin: Search, aggregations, index patterns
  • Visualizations Plugin: Chart rendering, saved visualizations
  • Dashboard Plugin: Dashboard embedding and rendering
  • Discover Plugin: Event exploration interface
  • Navigation Plugin: Menu and breadcrumb management
  • Security Dashboards: Authentication and RBAC integration

Wazuh Server API Integration

All management operations communicate with the Wazuh Server REST API:
  • Agent management (status, configuration, upgrades)
  • Rules and decoders management
  • Security configuration (users, roles, policies)
  • Cluster information and statistics
  • File integrity monitoring
  • Vulnerability detection data

Health Check System

The server plugin implements a comprehensive health check system that runs during startup:
Verifies and creates required index patterns for all data sources:
  • Events (all categories)
  • States (vulnerabilities, FIM, SCA, inventory)
  • Monitoring and statistics
Tests connection to configured Wazuh Server API hosts and validates authentication
Verifies that allow_run_as is enabled on the Wazuh API for proper user context switching
Ensures required saved objects (dashboards, visualizations) are present
Sets up default notification channels when Notifications plugin is available

Configuration Management

The wazuh-core plugin implements a multi-provider configuration system: 
// Configuration providers
EConfigurationProviders {
  INITIALIZER_CONTEXT,      // Plugin configuration from opensearch_dashboards.yml
  PLUGIN_UI_SETTINGS,       // User settings from UI
}
Configuration flows through a ConfigurationStore that aggregates settings from multiple sources with proper precedence.

Security Architecture

Authentication Flow

  1. Dashboard security plugin handles user authentication
  2. wazuh-core creates scoped API clients per user session
  3. API requests include user context for audit trail
  4. Wazuh Server enforces RBAC policies

Authorization

  • Frontend: UI elements conditionally rendered based on user permissions
  • Backend: Route handlers validate user authorization before processing
  • API Level: Wazuh Server enforces resource-level permissions

Performance Considerations

Lazy Loading

Applications are dynamically imported only when mounted, reducing initial bundle size

Query Optimization

Search queries use aggregations and time-based filtering to minimize data transfer

Caching

Configuration and API responses are cached with configurable TTL (default 10s)

Background Jobs

Long-running tasks (monitoring, statistics) run in background queues

Extensibility

The architecture supports extension through:
  • Plugin System: Add new plugins that depend on wazuh-core
  • Module System: Register new security modules in the main plugin
  • Custom Visualizations: Add new visualization types through the Visualizations plugin
  • Route Extensions: Register custom API routes in server plugin

Plugin System

Deep dive into plugin lifecycle and development

Security Modules

Explore the security capabilities and modules

Data Sources

Learn about index patterns and data organization

Getting Started

Start developing with Wazuh Dashboard Plugins

Build docs developers (and LLMs) love

Get started for freeTalk to us