Wazuh Agent Working on Private Subnet

[Eric Vu]

Hello Wazuh Experts,

I have a few database servers working on the private subnet that needs integrating with Wazuh Manager to monitor. We don't have an NAT to allow the servers on the private subnet access to the internet. My server is on the remote data center. 

Prod Evn: 

Wazuh 4.1.5 (Wazuh Cluster (1 Master Node + 1 Worker Node))  OpenDistroforelasticsearch Cluster ( 1 Master Node + 1 Data Node)

NGINX Load balancer for a Wazuh cluster

With my prod working, I'm researching and finding some helpful information to monitor database serves on the private subnet. Would you please help me understand the scenarios below and correct me if I'm wrong? 

1/ scenario 1: 

Put NAT between database servers and Wazuh manager. I copied the answer on this group in the past. That's not clear to me. 

If the Agent has an IP address behind a NAT network setup which is not directly visible by the Manager).

You have two ways for registering the Agent with the proper IP address:

1) On the Agent side execute 

/var/ossec/bin/agent-auth -m <manager_IP> -I any -A <agent_name>

The option "-I any" allows the Manager to register the Agent with any IP address instead of using the visible one.

2) On the Manager side add the following <use_source_ip> option in /var/ossec/etc/ossec.conf:

<ossec_config> 

    ... 

    <auth> 

        ... 

        <use_source_ip>no</use_source_ip> 

        ... 

    </auth> 

    ... 

</ossec_config>

and then restart the Manager service with systemctl restart wazuh-manager or service wazuh-manager restart.

Then, on the Agent side you will be able to register it with 

/var/ossec/bin/agent-auth -m <manager_IP>

--->  Following this scenario, Wazuh Agent will be to authenticate with Wazuh Manager. Wazuh Agent will send the events to the NGINX Load balancer. At NGINX, we can configure to use Round Robin/Hash/Least Connections to Worker Node. Is this correct?

It has some risk since we allow database servers to communicate with the internet. 

2/ Scenario 2: it's an option better to consider. 

Can we have a worker node in the DMZ, and then that Wazuh Agent will authenticate with Wazuh Worker? Is it possible? Wazuh Agent will send the logs to the Wazuh Worker and then send logs to Wazuh Manager from Wazuh Worker. I'm not sure about this. I was a bit confused about this to understand. 

I think the workers nodes send their alerts to kibana/elasticsearch through filebeat, they do not need to communicate with the master node to send the alerts & events will be analyzed by the worker node directly. If yes, please confirm this or correct it for me. 

I'm looking forward to hearing from you soon.

Regards, 

[Eric]

Hi everyone,

I'm researching scenario two that I mentioned in the previous email. I see if we use worker nodes in the DMZ, at this time, workers nodes send their alters to kibana/elasticsearch through filebeat. That means if we public ElasticSearch port 9200 in the public zone, it will become a target for the attackers. We need to keep ElasticSearch on Restricted Zone and control it through inbound traffic (ingress) or outbound traffic (egress) with SG/NACL. As far I understand, scenario 1 is the only one to go. Any thoughts on my concern? 

Regards,

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/48c045bc-388d-4ade-80a1-3e76d7bf81e0n%40googlegroups.com.

[Juan Carlos]

Hi Eric,

Both scenarios are valid, however I would recommend the first one for simplicity.

In recent versions the default value for <use_source_ip> is no, as it is common to monitor endpoints that share an IP as viewed by the Wazuh manager and there is little benefit from binding an agent to a specific IP.  You may directly register an agent without binding it to a specific IP regardless of the manager's configuration by using the "-I any" modifier.

If you need to create a cluster of Wazuh managers, as in option 2, rest assured that all components are built for this, just be sure to have configured Elastic Stack security with a strong password. It will also be necessary for the managers to communicate among themselves through port 1516 in order to synchronize agent and configuration information.

Let us know if you have any more questions,

Best Regards,

Juan Carlos Tello

[Eric]

Hi Juan Carlos Tello, 

Thank you for your email, 

It's highly appreciated. 

With best regards, and please stay safe!

Eric Vu

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/naG8pmydCfI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1ef4f118-9516-4d79-874c-9fbeb23adb12n%40googlegroups.com.