how can I name a worker node?
208 views
Skip to first unread message
Hamado Dene
Nov 27, 2018, 1:39:27 PM11/27/18
to Wazuh mailing list
I configured my wazuh as a cluster.
how can I connect an agent to the cluster?
how can I name a worker node?
how exactly does a worker node work? and who can be named a worker node?
Pedro Sánchez
Nov 27, 2018, 2:23:30 PM11/27/18
to hamad...@gmail.com, wa...@googlegroups.com
Hi Hamado,
I think the majority of your questions can be solved using our day-to-day in progress documentation:
- how can I connect an agent to the cluster?
You will connect your agent either to a master node, worker node or a load balancer, it depends on how you want to distribute your events (load).
- how can I name a worker node?
<node_name>your_name</node_name>
- how exactly does a worker node work? and who can be named a worker node?
A worker node is essentially a Wazuh manager configured to receive a specific configuration from a master node (agent keys, groups, and other metadata), and at the same time, to send specific info to the master node (agent status).
A worker node is "named" or "chosen" by enabling the cluster conf and selecting "worker" in the node type setting.
I hope it helps, let us know if you have any questions.
Best regards,
Pedro.
PS: I hope next time you can say "hi" at least when you ask for help, thanks.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fb9569e2-a40a-4b80-bc20-779dc1e0b57b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hamado Dene
Nov 28, 2018, 2:22:36 AM11/28/18
to Wazuh mailing list
So basically a worker is a manager who is configured as a cluster
Worker? If so, how do I communicate to the master of the existence of other workers?
And in addition the auth of an agent with the master remains the same? And also applies to the Auth with a worker?
I didn't quite understand how the load balancer works.
From the documentation I could not understand everything to 100%.
Juanjo Jiménez
Nov 28, 2018, 3:37:07 AM11/28/18
to Hamado Dene, wa...@googlegroups.com
Hello Hamado,
In a Wazuh cluster, all involved nodes (both master and workers) are Wazuh managers. For every host that you want to use as a cluster node, you must install the Wazuh manager.
The worker nodes communicate with the cluster thanks to this configuration block:
<nodes>
<node>MASTER_NODE_IP_ADDRESS</node>
</nodes>
This block is placed inside the <cluster> configuration block on each manager’s ossec.conf file. Here you must insert the master node’s IP address. All the nodes in the cluster (both master and workers) must have the same IP address from the master. This way, each node will communicate with the master (that’s how our cluster works in order to synchronize files).
When it comes to registering agents, they must be registered on the master node. Any registration method is valid (for example, authd).
The only thing to keep in mind is that the IP address on the agent’s ossec.conf file must be the one from the node that you want the agent to report events. For example, if you have 10 agents and each of them is configured with the master’s IP address, every node will report to the master, so maybe you want to distribute your agents either manually or with a load balancer.
In the future, we’ll improve our documentation to include steps to configure a load balancer. Also, we’ll improve the explanation of a cluster configuration.
Let us know if you have more questions or doubts about this.
Regards,
Juanjo
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9b487d4c-4caa-4d85-9514-802b871836fa%40googlegroups.com.
Hamado Dene
Nov 29, 2018, 3:05:19 AM11/29/18
to Wazuh mailing list
Juanjo Jiménez
Nov 29, 2018, 3:49:28 AM11/29/18
to Hamado Dene, wa...@googlegroups.com
Hello again Hamado,
Every Wazuh cluster node must have its own Filebeat instance in order to collect the events from the alerts.json file. The Filebeat instance will forward the events to Logstash.
For example, you can have all your Wazuh cluster nodes with its own FIlebeat instance, reporting to a single Logstash instance that will pre-format the events before indexing them on Elasticsearch.
On Kibana and the Wazuh app, you’ll be able to see all the events organized by cluster node, because our app detects if you’re using a cluster or not.
Remember that you need the Wazuh API on the master node of your cluster, and the Wazuh app must be connected to that API.
I hope this helps you. Let us know if you have more questions.
Regards,
Juanjo
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c6141a41-bcc8-4d05-86e9-5505eca47b15%40googlegroups.com.
Message has been deleted
Hamado Dene
Nov 29, 2018, 6:56:45 AM11/29/18
to Wazuh mailing list
install my wazuh worker and everything went fine. (See photo)
But in Kibana node02 is not displayed.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Juanjo Jiménez
Nov 30, 2018, 7:39:36 AM11/30/18
to Hamado Dene, wa...@googlegroups.com
Hello again Hamado,
Sorry for the late response.
I can see that you’re on the Agents tab from the Wazuh app. On the nodes selector, not all of them necessarily have to appear, it depends on the number of agents each node is monitoring. If you don’t have any agents on your second node, it won’t appear on the node selector, because there are no agents to filter by that node.
But we can see if your nodes are correctly configured if you open the Management > Monitoring tab on the top navbar. In this app section, you can see all the information related to your cluster, and its nodes.
You can also open the Dev tools tab on the top navbar and execute the following API request, just by typing the following on the left pane and then clicking on the Execute button (the green play button):
GET /cluster/nodes
You don’t have to install the Wazuh API on the worker nodes. Only the master node needs to have the Wazuh API package installed, and connect the Wazuh app to that API.
Let me know if this helps.
Regards,
 | Juanjo Jiménez Software Engineer  The Open Source Security Platform |   |
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c6141a41-bcc8-4d05-86e9-5505eca47b15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8ae7c737-af83-4e72-b87b-b22918f8ec67%40googlegroups.com.
Hamado Dene
Nov 30, 2018, 8:25:19 AM11/30/18
to Wazuh mailing list
hello Juanjo,
thanks for your help,
it's all ok now.
Best Regards,
Hama
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c6141a41-bcc8-4d05-86e9-5505eca47b15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Hamado Dene
Nov 30, 2018, 8:37:41 AM11/30/18
to Wazuh mailing list
i have a last one question:
What happens when the master dies?
how can I behave in order not to stop the service using the workers?
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c6141a41-bcc8-4d05-86e9-5505eca47b15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Juanjo Jiménez
Nov 30, 2018, 9:01:11 AM11/30/18
to Hamado Dene, wa...@googlegroups.com
Hi again,
When the master node stops working, the worker nodes will continue receiving events from the agents they're monitoring, but the won't keep other important files synchronized with the master node. You won't lose events, but indeed the cluster won't be behaving properly.
When the master restarts, all the files will be synced again to the worker nodes.
In the future, we'll improve these situations by implementing the multiple masters. You'll be able to create more than one master node, so in the case one of them fails, the rest of master nodes will take care of everything in order to keep the cluster working fine at all times.
Regards,
| Juanjo Jiménez Software Engineer The Open Source Security Platform | |
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c6141a41-bcc8-4d05-86e9-5505eca47b15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8ae7c737-af83-4e72-b87b-b22918f8ec67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c1baca64-8c73-4798-8dcb-bfcbba744346%40googlegroups.com.
Hamado Dene
Nov 30, 2018, 9:27:47 AM11/30/18
to Wazuh mailing list
Another question:
if I'm analyzing a log,
in the chaos the manager breaks up, is there a way to start the analysis again from where I had finished?
I mean by installing a new manager.
Juanjo Jiménez
Nov 30, 2018, 10:32:41 AM11/30/18
to Hamado Dene, wa...@googlegroups.com
I'm sorry Hamado, I'm not completely sure what you mean by "analyzing a log".
Please, elaborate your question a little bit more. Are you referring to the fact that a cluster node is performing some kind of event analysis? Or maybe just about what happens if the manager stops working while performing some task?
Apologies for the inconvenience.
Regards,
| Juanjo Jiménez Software Engineer The Open Source Security Platform | |
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/be5f2510-1a86-46f3-ad2c-18b84b48150f%40googlegroups.com.
Hamado Dene
Nov 30, 2018, 11:58:09 AM11/30/18
to Wazuh mailing list
if the manager while analyzing a file breaks up and I install a new manager, is there any way to continue to analyze that file from where it was interrupted without having to start again from the very beginning of the file?
Juanjo Jiménez
Dec 3, 2018, 5:15:56 AM12/3/18
to Hamado Dene, wa...@googlegroups.com
Hello again Hamado, and sorry for the late response.
In case you reinstall the Wazuh manager, the analysis won't continue from the point where it was interrupted. It will be set to the end of the file, and the new content from that point in time will be analyzed. The same thing will happen if you simply restart the manager in case of failure or malfunctioning.
I hope this clarifies your question.
Regards,
| Juanjo Jiménez Software Engineer The Open Source Security Platform | |
El vie., 30 nov. 2018 a las 17:58, Hamado Dene (<hamad...@gmail.com>) escribió:
if the manager while analyzing a file breaks up and I install a new manager, is there any way to continue to analyze that file from where it was interrupted without having to start again from the very beginning of the file?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3ee184e6-92d7-4899-8863-3e4dc3e55dca%40googlegroups.com.
Hamado Dene
Dec 3, 2018, 5:37:28 AM12/3/18
to Wazuh mailing list
Hello Juanjo,
I understood everything.
thanks for your help.
Best regards,
Hama
Il giorno lunedì 3 dicembre 2018 11:15:56 UTC+1, Juanjo Jiménez ha scritto:
Hello again Hamado, and sorry for the late response.In case you reinstall the Wazuh manager, the analysis won't continue from the point where it was interrupted. It will be set to the end of the file, and the new content from that point in time will be analyzed. The same thing will happen if you simply restart the manager in case of failure or malfunctioning.I hope this clarifies your question.Regards,
Juanjo Jiménez
Software EngineerThe Open Source Security Platform
El vie., 30 nov. 2018 a las 17:58, Hamado Dene (<hamad...@gmail.com>) escribió:
if the manager while analyzing a file breaks up and I install a new manager, is there any way to continue to analyze that file from where it was interrupted without having to start again from the very beginning of the file?--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Juanjo Jiménez
Dec 3, 2018, 5:50:54 AM12/3/18
to Hamado Dene, wa...@googlegroups.com
Glad to help Hamado. Don't hesitate to open a new thread if you have more questions or problems while using Wazuh.
Regards,
| Juanjo Jiménez Software Engineer The Open Source Security Platform | |
El lun., 3 dic. 2018 a las 11:37, Hamado Dene (<hamad...@gmail.com>) escribió:
Hello Juanjo,I understood everything.thanks for your help.Best regards,Hama
Il giorno lunedì 3 dicembre 2018 11:15:56 UTC+1, Juanjo Jiménez ha scritto:
Hello again Hamado, and sorry for the late response.In case you reinstall the Wazuh manager, the analysis won't continue from the point where it was interrupted. It will be set to the end of the file, and the new content from that point in time will be analyzed. The same thing will happen if you simply restart the manager in case of failure or malfunctioning.I hope this clarifies your question.Regards,
Juanjo Jiménez
Software Engineer
El vie., 30 nov. 2018 a las 17:58, Hamado Dene (<hamad...@gmail.com>) escribió:
if the manager while analyzing a file breaks up and I install a new manager, is there any way to continue to analyze that file from where it was interrupted without having to start again from the very beginning of the file?--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3ee184e6-92d7-4899-8863-3e4dc3e55dca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e04b0748-b430-4626-a825-6562db75bd0b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages