Matrix IT — Wazuh SIEM Auto-Provision

Client & Server

Identifies this deployment and the public address users will browse to.

Client / deployment name * Lowercase, used for filenames and the post-deploy page. Public DNS hostname * FQDN that resolves to the server; used for the dashboard URL & alert deep-links. HTTPS certificate Let's Encrypt needs inbound TCP 80 open at the cloud firewall and the FQDN above pointing at this server. Dashboard admin password Rotates the indexer admin account. Blank = a strong password is generated and shown on the post page. Wazuh version Wazuh Docker stack version. Indexer heap (RAM) e.g. 512m, 2g. Blank = auto-tuned.

Advanced

Wazuh Docker path

Log Ingestion

Where Appgate SDP sends its syslog. Source-IP lockdown is handled at the perimeter firewall, outside the VM.

Syslog port Protocol

Advanced

Enable syslog ingestion Allowed source IPs / CIDRs Locked down at the firewall — leave open in-VM.

Detections, Geo & Retention

Tunes location labeling, the unexpected-country rule, and how long events are kept.

Expected countries (allowlist) Comma-separated. A login from outside this list trips the unexpected-country rule. Blank = rule disabled. Retention (days) Indexed events older than this are deleted by the ISM policy. Known office egress IPs Comma-separated public IPs labeled Office on the movement dashboard. Known home egress IPs Comma-separated public IPs labeled Home. Everything else is Remote/Travel.

Advanced — feature toggles

Appgate detection rules Appgate dashboards Geo pin maps Indexed archives (audit retention)

Email Relay (SMTP)

Optional authenticated TLS relay for email alerts. A small Postfix sidecar relays manager mail with STARTTLS + SASL.

Enable email alerts

Alerts & Reports (baseline ops)

Provisions the out-of-the-box monitors, the notification recipient group, and report definitions.

Provision baseline ops (monitors / notifications / reports)

Alert recipient group name Alert recipient emails Comma-separated. Falls back to the SMTP recipients if blank. Generate PDF report definitions

Server Access & Deploy

Used by the generated script (run on your laptop) or, if you choose the direct install, sent over HTTPS to the provisioning backend and held in memory only for the duration of the deploy. Not persisted by this page.

Server IP / hostname * SSH port SSH username SSH password * For the first connection (key auth is set up afterwards). GitHub Personal Access Token * Fine-grained PAT scoped to DialogueDynamicsAI/wazuh_deployment, Administration: Read & Write (registers the server deploy key).

Heads up: the generated script contains the SSH password and PAT in plaintext. Run it from a trusted machine and delete it after the deploy completes.

Generate Deployment Package

Two artifacts: a hands-free Python deployer and a manual shell fallback. Review then download.

Run it: pip install paramiko requests → python deploy-client.py

Run it: SCP to the server, then sudo bash bootstrap-client.sh (prints the deploy key to add on GitHub manually).

Summary:

Or install directly auto

Connects to the server from this site's PHP API (api/) and runs the same install live. Requires the api/ folder with phpseclib installed (see api/README.md). Same result as running the script yourself.

Backend URL Blank = the api/ folder next to this page. Only set this to point at a different host running the API. Access token (optional) Only if the backend sets PROVISION_TOKEN.

Direct install: the SSH password and PAT are sent to your backend over HTTPS. Run the backend over TLS behind an auth gate, and confirm TCP 80 is open at the cloud firewall if you selected Let's Encrypt.