Skip to main content


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.


This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud article.

Step 1: Create an account in Elasticsearch

  1. Open the Elasticsearch console and select Stack Management from the Management menu.

  2. Select Users and click Create user.

    Screen Shot 2021-06-08 at 3.49.24 PM.png
    • For Username type expel_svc.

    • Set the Password.

    • For Full name type Expel Service Account.

    • For Email type soc+<Your_Organization_Name>


      Yes, the "+" sign is part of the email address (as in and it's important. Click here to find out why.

    • For Roles select kibana_admin.

  3. Click Create user.


Note the Elasticsearch server address and port number (the default port is 9200) for later use.

Step 2: Configure the technology in Workbench

  1. In a new browser tab, login to

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top right of the page, click Add Security Device.

  4. Search for and select Wazuh.

  5. Enter your user credentials as follows:

    • For Where is your device? select On-prem.

    • For Assembler select <?>.

    • For Name and Location enter Wazuh and <?>.

    • For Username and Password enter the username and password created in Step 1.

    • For Server address enter the server address with the port number.

    • For Is this a Wazuh cloud instance? enter <?>.