Wazuh Commands

Overview

The netapi wazuh command group provides CLI access to Wazuh SIEM via OpenSearch (Indexer) and Wazuh Manager API.

Service Endpoints

Table 1. Wazuh MetalLB VIPs
Service VIP Port Purpose

Dashboard

10.50.1.132

443

Web UI

Indexer

10.50.1.131

9200

OpenSearch API

Manager

10.50.1.134

55000

REST API

Manager

10.50.1.134

1515

Agent registration (authd)

Manager

10.50.1.134

514

Syslog (UDP/TCP)

Workers

10.50.1.133

1514

Agent event data

Prerequisites

Credentials Location

Wazuh credentials are stored in gopass:

# Indexer (OpenSearch)
gopass show v3/domains/d000/k3s/wazuh

# Manager API
gopass show v3/domains/d000/k3s/wazuh-api

Load via dsource

dsource d000 dev/observability

Required Environment Variables

Variable Description Default

WAZUH_INDEXER_URL

OpenSearch URL

10.50.1.131:9200

WAZUH_INDEXER_USER

OpenSearch username

admin

WAZUH_INDEXER_PASSWORD

OpenSearch password

Required (no default)

WAZUH_API_URL

Manager API URL

10.50.1.134:55000

WAZUH_API_USER

Manager API username

wazuh-wui

WAZUH_API_PASSWORD

Manager API password

Required for agents, status

Index Commands

indices

List Wazuh indices in OpenSearch:

netapi wazuh indices
Example Output
Index                                         Docs       Size Status
--------------------------------------------------------------------------------
wazuh-alerts-4.x-2026.02.24                     58    369.7kb green
wazuh-archives-4.x-2026.02.24                 1097      329kb green
wazuh-statistics-2026.9w                        70    228.8kb green

Filter by pattern:

netapi wazuh indices --pattern "wazuh-alerts-*"

count

Get document count for an index:

netapi wazuh count --index "wazuh-archives-*"
Example Output
wazuh-archives-*: 1,097 documents

Archive Search

archives

Search Wazuh archives (syslog events, system events):

netapi wazuh archives
Table 2. Options
Option Short Description

--query

-q

Search text in full_log field

--location

-l

Filter by source IP/hostname

--time

-t

Time range (1h, 24h, 7d)

--limit

-n

Max results (default: 20)

--raw

Show raw JSON output
Examples
# Last hour (default)
netapi wazuh archives

# pfSense firewall logs
netapi wazuh archives -q filterlog

# From specific source, last 24h
netapi wazuh archives -l 10.50.1.1 -t 24h

# Blocked connections
netapi wazuh archives -q "block" -n 50
Example Output
Found 5 results (showing up to 5)

[2026-02-24T03:58:28] 10.50.1.1
  Feb 23 19:58:28 filterlog[50531]: 65,,,12004,ixl0,match,block,in,4,0x0,,64...

[2026-02-24T03:58:01] df -P
  ossec: output: 'df -P': tmpfs

Alert Commands

alerts

Search Wazuh alerts:

netapi wazuh alerts
Table 3. Options
Option Short Description

--rule

-r

Filter by rule ID

--level

-L

Minimum severity level (1-15)

--agent

-a

Filter by agent name

--time

-t

Time range (default: 24h)

--limit

-n

Max results

--raw

Show raw JSON output
Examples
# All alerts, last 24h
netapi wazuh alerts

# High severity only (level 8+)
netapi wazuh alerts --level 8

# Specific agent
netapi wazuh alerts --agent vault-01

# Specific rule
netapi wazuh alerts --rule 100200
Example Output
Found 10 alerts

[2026-02-24T03:58:39] L2 R522 wazuh-manager-master-0
  File with world writable permissions found.

[2026-02-24T03:45:12] L10 R100201 wazuh-manager-master-0
  pfSense: Potential port scan detected

rules

Show alert statistics by rule (most triggered):

netapi wazuh rules
Table 4. Options
Option Short Description

--time

-t

Time range (default: 24h)

--top

-n

Top N rules (default: 20)
Examples
# Top 20 rules, last 24h
netapi wazuh rules

# Top 50 rules, last week
netapi wazuh rules --top 50 -t 7d
Example Output
Rule     Level  Count   Description
--------------------------------------------------------------------------------
522      2          20  File with world writable permissions found.
100200   3          15  pfSense: Firewall block
5501     3           8  Login session opened

Source Analysis

sources

Show syslog sources in archives:

netapi wazuh sources
Table 5. Options
Option Short Description

--time

-t

Time range (default: 24h)
Example Output
Syslog sources (last 24h, 1,097 total events)

Source                               Events        %
-------------------------------------------------------
10.50.1.1                               895    81.6%
df -P                                   176    16.0%
rootcheck                                20     1.8%
wazuh-monitord                            6     0.5%

Manager API Commands

These commands require WAZUH_API_USER and WAZUH_API_PASSWORD environment variables.

agents

List Wazuh agents:

netapi wazuh agents
Example Output
ID     Name                      IP               Status       OS
--------------------------------------------------------------------------------
000    wazuh-manager-master-0    127.0.0.1        Active       Rocky Linux 9
001    vault-01                  10.50.1.60       Active       Rocky Linux 9
002    kvm-01                    10.50.1.99       Active       Arch Linux

status

Show Wazuh manager status:

netapi wazuh status
Example Output
Wazuh Manager Status
----------------------------------------
wazuh-analysisd              running
wazuh-remoted                running
wazuh-syscheckd              running
wazuh-logcollector           running
wazuh-modulesd               running

Dashboard Management

Manage Wazuh/OpenSearch Dashboards programmatically via the Saved Objects API.

dashboard-list

List saved dashboards:

netapi wazuh dashboard-list
Example Output
Found 5 dashboards

ID                                       Title
----------------------------------------------------------------------------------
7adfa750-4c81-11e8-b3d7-01146121b73d     Wazuh - Security Events
e3166a70-4dd6-11e8-8a36-9f1c4a4a2ed4     Wazuh - Integrity Monitoring
0d44db00-4e37-11e8-a85e-2f0e2cf89fc7     Wazuh - Vulnerability Detection

Show raw JSON:

netapi wazuh dashboard-list --raw

dashboard-export

Export dashboards to NDJSON file (includes referenced visualizations, index patterns):

# Export all dashboards
netapi wazuh dashboard-export

# Custom output file
netapi wazuh dashboard-export -o wazuh-backup-2026-02-25.ndjson

# Export specific dashboard
netapi wazuh dashboard-export -i 7adfa750-4c81-11e8-b3d7-01146121b73d -o security-events.ndjson
Example Output
Exported 47 objects to dashboards.ndjson
File size: 125,432 bytes

dashboard-import

Import dashboards from NDJSON file:

# Import (skip existing)
netapi wazuh dashboard-import dashboards.ndjson

# Overwrite existing
netapi wazuh dashboard-import backup.ndjson --overwrite
Example Output
✓ Imported 47 objects

viz-list

List saved visualizations:

netapi wazuh viz-list

Workflow: Backup and Restore

# 1. List current dashboards
netapi wazuh dashboard-list

# 2. Export all dashboards (backup)
netapi wazuh dashboard-export -o /backup/wazuh-dashboards-$(date +%F).ndjson

# 3. After disaster/reinstall, import
netapi wazuh dashboard-import /backup/wazuh-dashboards-2026-02-25.ndjson --overwrite

Workflow: Dashboard as Code

Version control your dashboards:

# 1. Create dashboard manually in Wazuh UI
# 2. Export to repo
netapi wazuh dashboard-export -o dashboards/custom-security.ndjson

# 3. Commit to git
git add dashboards/custom-security.ndjson
git commit -m "feat(wazuh): Add custom security dashboard"

# 4. Deploy to another Wazuh instance
netapi wazuh dashboard-import dashboards/custom-security.ndjson

curl Equivalents

For scripting without netapi:

# List dashboards
curl -sk -u admin:$WAZUH_INDEXER_PASSWORD \
  "https://wazuh.inside.domusdigitalis.dev:443/api/saved_objects/_find?type=dashboard" | jq

# Export all dashboards
curl -sk -u admin:$WAZUH_INDEXER_PASSWORD \
  -X POST "https://wazuh.inside.domusdigitalis.dev:443/api/saved_objects/_export" \
  -H "osd-xsrf: true" \
  -H "Content-Type: application/json" \
  -d '{"type": "dashboard", "includeReferencesDeep": true}' \
  > dashboards.ndjson

# Import dashboards
curl -sk -u admin:$WAZUH_INDEXER_PASSWORD \
  -X POST "https://wazuh.inside.domusdigitalis.dev:443/api/saved_objects/_import" \
  -H "osd-xsrf: true" \
  --form file=@dashboards.ndjson

Quick Reference

Command Description

netapi wazuh indices

List all Wazuh indices

netapi wazuh archives -q filterlog

Search pfSense logs

netapi wazuh alerts --level 8

High severity alerts

netapi wazuh sources

Syslog source summary

netapi wazuh rules

Top triggered rules

netapi wazuh agents

List agents (requires API creds)

netapi wazuh dashboard-list

List saved dashboards

netapi wazuh dashboard-export

Export dashboards to NDJSON

netapi wazuh dashboard-import

Import dashboards from NDJSON

Validation Checklist

1. Verify Connectivity

# Test indexer
curl -sk -u admin:$(gopass show -o v3/domains/d000/k3s/wazuh) \
  "https://10.50.1.131:9200/_cluster/health" | jq -r '.status'
# Expected: green

# Test manager API
curl -sk -u wazuh-wui:$(gopass show -o v3/domains/d000/k3s/wazuh-api) \
  "https://10.50.1.134:55000/security/user/authenticate" | jq -r '.data.token' | head -c 20
# Expected: JWT token prefix

2. Verify Agents

# Via netapi (with credentials)
WAZUH_INDEXER_PASSWORD="$(gopass show -o v3/domains/d000/k3s/wazuh)" \
WAZUH_API_USER="wazuh-wui" \
WAZUH_API_PASSWORD="$(gopass show -o v3/domains/d000/k3s/wazuh-api)" \
  netapi wazuh agents

# Via kubectl
ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- /var/ossec/bin/agent_control -l"

3. Verify Syslog Reception

# Check syslog sources
WAZUH_INDEXER_PASSWORD="$(gopass show -o v3/domains/d000/k3s/wazuh)" \
  netapi wazuh sources

# Check document count
WAZUH_INDEXER_PASSWORD="$(gopass show -o v3/domains/d000/k3s/wazuh)" \
  netapi wazuh count --index "wazuh-archives-*"

4. Verify k8s Pods

ssh k3s-master-01 "kubectl get pods -n wazuh"
Expected Output
NAME                               READY   STATUS    RESTARTS   AGE
wazuh-dashboard-69dd56df9d-xxx     1/1     Running   0          1d
wazuh-indexer-0                    1/1     Running   0          1d
wazuh-manager-master-0             1/1     Running   0          1d
wazuh-manager-worker-0             1/1     Running   0          1d

Troubleshooting

"Required: WAZUH_INDEXER_PASSWORD"

Credentials not loaded. Export manually:

# Option 1: Load via dsource (permanent - recommended)
dsource d000 dev/observability

# Option 2: Export manually (temporary)
export WAZUH_INDEXER_PASSWORD="$(gopass show -o v3/domains/d000/k3s/wazuh)"
export WAZUH_API_USER="wazuh-wui"
export WAZUH_API_PASSWORD="$(gopass show -o v3/domains/d000/k3s/wazuh-api)"

"No sources found in archives"

No syslog data being received. Check:

# 1. Syslog port open
nc -zvu 10.50.1.134 514

# 2. pfSense sending logs
# Configure via System > Advanced > Notifications > Syslog

# 3. ISE sending logs
netapi ise api-call ers GET '/config/externalSyslogTarget'

"Connection refused" on port 55000

Manager API not accessible:

# Check service
ssh k3s-master-01 "kubectl get svc -n wazuh wazuh"

# Check pod logs
ssh k3s-master-01 "kubectl logs -n wazuh wazuh-manager-master-0 --tail=50"

Deployment Status

Table 6. Infrastructure Monitoring Status
Host Type Method Status

wazuh-manager-master-0

Manager

Self

✓ Active (ID: 000)

vault-01

Rocky Linux

Agent

Pending

bind-01

Rocky Linux

Agent

Pending

kvm-01

Rocky Linux

Agent

Pending

ipa-01

Rocky Linux

Agent

Pending

keycloak-01

Fedora

Agent

Pending

k3s-master-01

Rocky Linux

Agent

Pending

home-dc01

Windows 2025

Agent

Pending

modestus-razer

Arch Linux

Agent

Pending

pfSense-01

FreeBSD

Syslog

✓ Active (895 events)

ise-01

ISE 3.4

Syslog

✓ Active (10.50.1.134:514)

C9300/3560CX

IOS-XE

Syslog

Not configured

See Also