This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.


This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud article.

Step 1: Create an account in Elasticsearch

  1. Open the Elasticsearch console and select Stack Management from the Management menu.

  2. Select Users and click Create user.

    Screen Shot 2021-06-08 at 3.49.24 PM.png
    • For Username type expel_svc.

    • Set the Password.

    • For Full name type Expel Service Account.

    • For Email type soc+<Your_Organization_Name>@expel.io.


      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

    • For Roles select kibana_admin.

  3. Click Create user.


Note the Elasticsearch server address and port number (the default port is 9200) for later use.

Step 2: Configure the technology in Workbench

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=wazuh. You may be asked to log into Workbench.

  2. Fill in the form like this:

    • For Where is your device? select On-prem.

    • For Assembler select the assembler you want to route the Wazuh traffic through.

    • For Name and Location type a name and location that are meaningful to you.

    • For Username and Password type the username and password created in Step 1.

    • For Server address type the server address with the port number from above.

    • For Is this a Wazuh cloud instance? select Yes or No, depending on whether you're onboarding a Wazuh-hosted device.

  3. You can provide console access now or set it up later. Use the instructions below to set it up later.