Skip to main content

Overview

Wazuh Dashboard Plugins organize security data into specialized index patterns optimized for different types of events and states. This structured approach enables efficient querying, visualization, and analysis of security telemetry.

Index Pattern Architecture

Data is organized into three primary categories:

Events

Real-time security events with timestamps, categorized by event type

States

Current state snapshots of system inventories, vulnerabilities, and configurations

Operational

Monitoring data and statistics for agents and servers

Index Pattern Types

From constants.ts:19-108:

Events Index Patterns

Events represent time-series security data with the @timestamp field.
Pattern: wazuh-events*
Type: events
Time Field: @timestamp
Health Check: index-pattern:eventsThe main index pattern that aggregates all event types. Used for cross-category searches and general event exploration.
// From constants.ts:19-21
export const WAZUH_INDEX_TYPE_EVENTS = 'events';
export const WAZUH_EVENTS_PATTERN = 'wazuh-events*';
Required Fields:
// From constants.ts:920-925
export const INDEX_PATTERN_EVENTS_REQUIRED_FIELDS = [
  FIELD_TIMESTAMP,                  // '@timestamp'
  'wazuh.integration.decoders',
  'wazuh.cluster.node',
  'wazuh.agent.id',
];

Cloud Services Events

Specialized event patterns for cloud provider monitoring:
Pattern: wazuh-events-v5-cloud-services*
Health Check: index-pattern:events-cloud-servicesAggregated cloud service events across all providers.Known Fields: common/known-fields/events-cloud-services.json
Pattern: wazuh-events-v5-cloud-services-aws*
Health Check: index-pattern:events-cloud-services-awsAmazon Web Services specific events:
  • CloudTrail API calls
  • GuardDuty findings
  • Config changes
  • VPC Flow Logs
// From constants.ts:140-142
export const WAZUH_EVENTS_CLOUD_SERVICES_AWS_PATTERN =
  'wazuh-events-v5-cloud-services-aws*';
Known Fields: common/known-fields/events-cloud-services-aws.json
Pattern: wazuh-events-v5-cloud-services-azure*
Health Check: index-pattern:events-cloud-services-azureMicrosoft Azure events:
  • Azure AD logs
  • Activity logs
  • Security Center alerts
Known Fields: common/known-fields/events-cloud-services-azure.json
Pattern: wazuh-events-v5-cloud-services-gcp*
Health Check: index-pattern:events-cloud-services-gcpGoogle Cloud Platform events:
  • Cloud Audit Logs
  • Security Command Center
  • IAM policy changes
Known Fields: common/known-fields/events-cloud-services-gcp.json

States Index Patterns

States represent current snapshots of system configurations and inventories (no time field).
Pattern: wazuh-states-vulnerabilities*
Type: states-vulnerabilities
Health Check: index-pattern:states-vulnerabilitiesCurrent vulnerability state of systems:
  • Detected CVEs
  • Affected packages
  • Severity scores (CVSS)
  • Fix availability
// From constants.ts:32-34
export const WAZUH_VULNERABILITIES_PATTERN = 'wazuh-states-vulnerabilities*';
export const WAZUH_INDEX_TYPE_VULNERABILITIES = 'vulnerabilities';
export const VULNERABILITY_IMPLICIT_CLUSTER_MODE_FILTER = 'wazuh.cluster.name';
Known Fields: common/known-fields/states-vulnerabilities.json

Operational Index Patterns

Pattern: wazuh-monitoring*
Type: monitoring
Time Field: timestamp
Health Check: index-pattern:monitoringAgent status and metrics:
  • Agent connectivity status
  • Last keep-alive timestamp
  • Agent version information
  • Configuration sync status
// From constants.ts:24-25
export const WAZUH_INDEX_TYPE_MONITORING = 'monitoring';
export const WAZUH_MONITORING_PATTERN = 'wazuh-monitoring*';
Known Fields: common/known-fields/monitoring.json

Index Pattern Initialization

The server plugin registers health checks to ensure all index patterns exist during startup.

Health Check Registration

From plugins/main/server/plugin.ts: 
core.healthCheck.register(
  initializationTaskCreatorIndexPattern({
    services: plugins.wazuhCore,
    taskName: HEALTH_CHECK_TASK_INDEX_PATTERN_VULNERABILITIES_STATES,
    indexPatternID: WAZUH_VULNERABILITIES_PATTERN,
    options: {
      fieldsNoIndices: IndexPatternVulnerabilitiesKnownFields,
    },
  })
);

Index Pattern Options

taskName
string
required
Unique identifier for the health check task
indexPatternID
string
required
The index pattern string (e.g., wazuh-events*)
options.savedObjectOverwrite
object
Saved object properties to set/override
options.hasTimeFieldName
boolean
default:"false"
Whether the index pattern has a time field
options.fieldsNoIndices
array
Known field definitions when indices don’t exist yet
options.checkDefaultIndexPattern
boolean
default:"false"
Whether this should be the default index pattern

Known Fields

Known fields are pre-defined field mappings stored in JSON files under common/known-fields/. These allow index patterns to be created before any data is indexed. Example: common/known-fields/events.json 
[
  {
    "name": "@timestamp",
    "type": "date",
    "searchable": true,
    "aggregatable": true
  },
  {
    "name": "wazuh.agent.id",
    "type": "string",
    "searchable": true,
    "aggregatable": true
  },
  // ... more fields
]

Data Flow

Event Pipeline

1

Agent Collection

Wazuh agents collect security events and system state data
2

Manager Processing

Wazuh Manager processes, enriches, and categorizes events
3

Indexing

Events are indexed into OpenSearch with appropriate index patterns
4

Index Pattern Matching

Dashboard queries use index patterns to search relevant indices
5

Visualization

Results are rendered in dashboards and visualizations

Index Naming Convention

wazuh-{category}-{version}-{subcategory}-{date}

Examples:
- wazuh-events-v5-security-2026.03.04
- wazuh-states-vulnerabilities-2026.03.04
- wazuh-monitoring-2026.03.04
Components:
  • wazuh: Namespace prefix
  • {category}: events, states, monitoring, statistics
  • {version}: v5 (for events)
  • {subcategory}: security, system-activity, vulnerabilities, etc.
  • {date}: YYYY.MM.DD for daily indices

Sample Data

The plugin provides sample data generation for testing and demonstrations.

Sample Data Categories

From constants.ts:271-475: 
export const WAZUH_SAMPLE_DATA_CATEGORIES_TYPE_DATA = {
  [WAZUH_SAMPLE_AGENT_MONITORING]: [
    {
      indexPatternPrefix: WAZUH_SETTING_AGENTS_MONITORING_SAMPLE_PREFIX.indexPatternPrefix,
      dataSet: WAZUH_SETTING_AGENTS_MONITORING_SAMPLE_PREFIX.dataSet,
    },
  ],
  [WAZUH_SAMPLE_ALERTS_CATEGORY_SECURITY]: [
    { syscheck: true },
    { aws: true },
    { azure: true, count: 1000 },
    { office: true },
    { gcp: true },
    { authentication: true },
    { ssh: true },
    { apache: true, count: 2000 },
    { web: true },
    { windows: { service_control_manager: true }, count: 1000 },
    { github: true },
  ].map(item => ({
    ...item,
    indexPatternPrefix: `${WAZUH_SETTING_ALERTS_SAMPLE_PREFIX.indexPatternPrefix}-${WAZUH_SAMPLE_ALERTS_CATEGORY_SECURITY}`,
    dataSet: WAZUH_SETTING_ALERTS_SAMPLE_PREFIX.dataSet,
  })),
  // ... more categories
};
Available Categories:
  • Agent Monitoring
  • Security Alerts
  • Auditing & Policy Monitoring
  • Threat Detection
  • File Integrity Monitoring
  • Security Configuration Assessment
  • Inventory Agent
  • Server Statistics
  • Vulnerabilities

Sample Data Configuration

WAZUH_SAMPLE_ALERTS_DEFAULT_NUMBER_DOCUMENTS
number
default:"1500"
Default number of sample documents to generate
// From constants.ts:167-181
export const WAZUH_SAMPLE_ALERTS_INDEX_SHARDS = 1;
export const WAZUH_SAMPLE_ALERTS_INDEX_REPLICAS = 0;
export const WAZUH_SAMPLE_ALERTS_DEFAULT_NUMBER_DOCUMENTS = 1500;

Query Optimization

Time-Based Filtering

For event index patterns, always apply time range filters: 
const timeFilter = {
  range: {
    '@timestamp': {
      gte: 'now-24h',
      lte: 'now',
    },
  },
};

Agent Filtering

Filter by specific agent: 
const agentFilter = {
  term: {
    'wazuh.agent.id': '001',
  },
};

Cluster Mode Filtering

For vulnerabilities in cluster mode: 
// From constants.ts:34
export const VULNERABILITY_IMPLICIT_CLUSTER_MODE_FILTER = 'wazuh.cluster.name';

const clusterFilter = {
  term: {
    [VULNERABILITY_IMPLICIT_CLUSTER_MODE_FILTER]: 'wazuh-cluster',
  },
};

Field Formats

Specialized field formatting improves data presentation:

Byte Formatting

mapFieldsFormat({
  'file.size': 'bytes',
  'host.memory.free': 'bytes',
  'host.memory.total': 'bytes',
  'host.memory.used': 'bytes',
  'package.size': 'bytes',
  'registry.size': 'bytes',
  'host.network.egress.bytes': 'bytes',
  'host.network.ingress.bytes': 'bytes',
})

Percentage Formatting

mapFieldsFormat({
  'host.memory.usage': 'percent',
})

Integer Formatting

mapFieldsFormat({
  'destination.port': 'integer',
  'source.port': 'integer',
  'process.pid': 'integer',
  'process.parent.pid': 'integer',
})

Index Lifecycle Management

Index patterns use wildcard matching, allowing for index rotation and lifecycle policies without reconfiguration.
Example: Index pattern wazuh-events* matches:
  • wazuh-events-v5-security-2026.03.01
  • wazuh-events-v5-security-2026.03.02
  • wazuh-events-v5-security-2026.03.03
  • wazuh-events-v5-security-2026.03.04
This enables:
  • Daily index rotation
  • Automated retention policies
  • Hot-warm-cold architecture
  • Index deletion without breaking dashboards

Configuration

Default Index Pattern

Set the default index pattern for initial searches: 
// From plugin.ts:677
options: {
  checkDefaultIndexPattern: true,
}
The events index pattern (wazuh-events*) is typically set as default.

Time Field Configuration

For time-series data: 
// From plugin.ts:266-270
options: {
  savedObjectOverwrite: defineTimeFieldNameIfExist('timestamp'),
  hasTimeFieldName: true,
}

Time Filter Settings

Default time range for dashboards: 
// From constants.ts:598-601
export const WAZUH_PLUGIN_PLATFORM_SETTING_TIME_FILTER = {
  from: 'now-24h',
  to: 'now',
};
export const PLUGIN_PLATFORM_SETTING_NAME_TIME_FILTER = 'timepicker:timeDefaults';

Best Practices

Use Specific Patterns

Query the most specific index pattern for your use case (e.g., wazuh-events-v5-security* instead of wazuh-events*) for better performance

Apply Time Filters

Always filter by time range on event indices to limit data scanned

Filter Early

Apply agent, cluster, and category filters in the query for index-level filtering

Aggregate Wisely

Use appropriate aggregation intervals and bucket limits

Index Pattern Reference

Complete Index Pattern List

  • wazuh-events*
  • wazuh-events-v5-system-activity*
  • wazuh-events-v5-security*
  • wazuh-events-v5-access-management*
  • wazuh-events-v5-applications*
  • wazuh-events-v5-network-activity*
  • wazuh-events-v5-other*
  • wazuh-events-v5-cloud-services*
  • wazuh-events-v5-cloud-services-aws*
  • wazuh-events-v5-cloud-services-azure*
  • wazuh-events-v5-cloud-services-gcp*
  • wazuh-states-vulnerabilities*
  • wazuh-states-fim*
  • wazuh-states-fim-files*
  • wazuh-states-fim-registry-keys*
  • wazuh-states-fim-registry-values*
  • wazuh-states-sca*
  • wazuh-states-inventory*
  • wazuh-states-inventory-system*
  • wazuh-states-inventory-hardware*
  • wazuh-states-inventory-networks*
  • wazuh-states-inventory-packages*
  • wazuh-states-inventory-ports*
  • wazuh-states-inventory-processes*
  • wazuh-states-inventory-protocols*
  • wazuh-states-inventory-users*
  • wazuh-states-inventory-groups*
  • wazuh-states-inventory-services*
  • wazuh-states-inventory-interfaces*
  • wazuh-states-inventory-hotfixes*
  • wazuh-states-inventory-browser-extensions*
  • wazuh-monitoring*
  • wazuh-statistics*

Architecture

System architecture and data flow

Security Modules

Security modules that use these data sources

Plugin System

Plugin lifecycle and health checks

Query Guide

Learn how to query and visualize data

Build docs developers (and LLMs) love

Get started for freeTalk to us