wazuh with public ip

[SaadEddine ELOTMANI]

Hello 

We have two different enterprises using Wazuh, and I'm considering merging the two Wazuh servers into a single server with a public IP address. However, I'm unsure how to separate the logs received from both enterprises. For example, logs from third-party devices (like firewalls, switches sending logs to agent 000), Office 365, Kaspersky Central are involved.

Additionally, if I want to add integrations like VirusTotal, should it be done on one manager or both? Any help would be appreciated!

[Stuti Gupta]

Hi,

You can set up two Wazuh servers and indexers connected separately, with one dashboard that connects to both. You have two options:

1. Multi-Node Deployment This involves having one Wazuh master manager node and multiple worker nodes.
   
2. Wazuh Multi-Site Implementation: In this setup, you would have Site A (with its own Wazuh manager and indexer) and Site B (also with its own Wazuh manager and indexer), along with a single dashboard for both sites. This allows you to view alerts from different servers on one dashboard using unique index patterns. For example, you could have `site-a-alerts-*` for Site A alerts and `site-b-alerts-*` for Site B alerts. You can find more details in this [Wazuh Multi-Site Implementation](https://wazuh.com/blog/wazuh-multi-site-implementation/) article.

Regarding the use of a public IP address, it’s generally advisable to operate Wazuh components over a private network to enhance security and reduce latency. However, if you still prefer to use public IPs, you can modify the `cert-tool` code to remove the restriction. If you need assistance with this modification, let me know. You would need to find the function called `cert_readConfig()` and comment out or delete the line that executes `exit 1`. This modification will prevent the script from exiting when the IPs are public.

Please note that using this script in a production environment could expose your services to the public internet or lead to configuration issues, resulting in potential downtime or security breaches.

You might also consider setting up integrations separately on both managers. This way, each enterprise can manage its integrations and settings independently.

Hope this helps

[SaadEddine ELOTMANI]

  We really need to set up a Wazuh server with a public IP address because the agent is not always on the same network as the Wazuh server. For example, with the VirusTotal integration, we only want to use a single API key  

[SaadEddine ELOTMANI]

  We want to set up a central Wazuh server with a public IP address and have separate dashboards for each enterprise. Is it possible to manage multiple dashboards from one server while keeping the logs and data isolated for each enterprise?  

[SaadEddine ELOTMANI]

[SaadEddine ELOTMANI]

 I am still waiting for a response

[Peter Santiago]

You can use nginx reverse proxy

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3bec73cf-4bcc-4053-a22b-a225e2b41c83n%40googlegroups.com.

[hamza battach]

[Stuti Gupta]

Hi Saad

Unfortunately, you can't have a separate dashboard for one cluster. As a workaround, you could have different index patterns for different Sites. this allows you to view alerts from different servers on one dashboard using unique index patterns. For example, you could have `site-a-alerts-*` for Site A alerts and `site-b-alerts-*` for Site B alerts. Next need to create an RBAC user based on access to different indices. This is explained in the document share before with the steps:  https://wazuh.com/blog/wazuh-multi-site-implementation/

Hope this helps