Build Wazuh cluster based all-in-one server

[sang thanh]

Hi everyone,

I got a mistake when provisioning the Wazuh production into one EC2 on AWS (all-in-one), so now I want to have a cluster for the Manager and Indexer in other servers based on the components I already have for HA and clustering purpose.

Can you give me the guide how to do this?

Thanks a lot.

[Jesus Linares]

Hi,

If you didn't connect agents or performed any configuration, I would recommend starting over since it would be faster. 

If it is not your case, just go component by component:

Wazuh manager

I would keep your current server for the wazuh manager. If you need more, just create new instances and join them to the wazuh cluster.

Wazuh dashboard

The wazuh dasbhoard can be easily moved to another server. Once is deployed and configured in another server just remove the dashboard package in the old one.

Wazuh indexer

Option 1: Create a new cluster of wazuh indexers. Then, point the filebeat of the manager to this new cluster. Previous data will be lost.

Option 2: Deploy new nodes of wazuh indexers and join them to the current cluster. If you have enough index replicas, once the new nodes are deployed, you can just remove the oldest wazuh-indexer. Previous data will be kept.

Keep in mind that you will need to review your security groups to allow proper communications between instances.

Let me know if you need more details.

[sang thanh]

Hi Jesus Linares,

Thanks for your kindly respond.

My current Wazuh ran a few months ago, so I wanna keep my all data. Based on your response, now I just focus on 2 components:

Wazuh Manager:

I will create a new instance and install new Wazuh Manager on that, but not sure it's can be same version with the current cause I use the Assist Installation, is it matter? And can you teach me how can I join the new instance into the current cluster?

Wazuh Indexer:

Options 2: I will create 2 more Indexers but again, not sure those can be same version with the current, and how can I join them in to the current cluster?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3597b655-8e08-4d68-8e8c-7a06e7818921n%40googlegroups.com.

[Jesus Linares]

Hi,

We recommend having everything in the same version.

For the Wazuh manager, just deploy a new manager and configure the cluster section of the ossec.conf: same name, new node name, same key, and set the master (your current node) in nodes.node. Also, compare the ossec.conf of your nodes, they should be equal except for the "cluster section". Here are the cluster settings explained.

You can check if the node is joined using the tool cluster-control. For debugging, check the files: /var/ossec/logs/cluster.log and /var/ossec/logs/ossec.log.

For the indexer, you need to use the same certificates that you are using for your current node. Then, configure the settings in /etc/wazuh-indexer/opensearch.yml, mainly the discovery.seed_hosts (check out this section).

You can review the nodes with: curl -k -u user:password "https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v".

Do not forget to add the new node in the Filebeat output list: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat

I hope it helps.

[sang thanh]

Yes thanks alot,

Last question, my Wazuh cluster using version 4.3.9, the newest now is 4.3.10 if I use the assist installation. Can I install the older version by using the assist installation or have to install from source or some things?

Vào lúc 20:19:47 UTC+7 ngày Thứ Sáu, 16 tháng 12, 2022, Jesus Linares đã viết: