Creating an OpenSearch user

The connector needs to connect to Wazuh’s OpenSearch instance in order to search alerts. Wazuh’s own API is not the same as OpenSearch’s, and does not provide a way to query alerts.

The Wazuh web interface is an OpenSearch dashboard, with a Wazuh app. You’ll therefore see two places to configure users and roles. You’ll need to create an OpenSearch user, and not a Wazuh user. Navigate to the OpenSearch Security section:

Then navigate to Internal users and click on the Create internal user button.

1. Enter a descriptive username

2. Choose a passphrase (pick a complex passphrase)

3. Repeat the chosen passphrase

4. Select readall as backend role

5. Click Create

That’s it! Copy

• the username to search.username and

• the password to search.password

Note

It is absolutely possible to create more contrained permissions for the user, and doing so is recommended. The roles/permissions needed depend on your index management and configuration.