Multi host (separate servers/VMs) setup

Zoltán Beck

unread,

Feb 3, 2025, 6:35:24 AM2/3/25

to Wazuh | Mailing List

Hi,

I'd like to ask for help, because I've been trying for a few days now, but I haven't found a solution yet. I want to build a multi-server Wazuh cluster. I've gone through the official documentation several times, but all my attempts lead me to get a certificate error when starting the conatainers.

Any advice?

Kind Regards,

Zoltan

PS: this is what I did:

root@xdr06:/srv/wazuh-docker/single-node# cat docker-compose.yml

services:

wazuh.manager:

image: wazuh/wazuh-manager:4.10.1

hostname: xdr06-manager

restart: always

ulimits:

memlock:

soft: -1

hard: -1

nofile:

soft: 655360

hard: 655360

ports:

- "1514:1514"

- "1515:1515"

- "514:514/udp"

- "55000:55000"

environment:

- INDEXER_URL=https://xdr06-indexer:9200

- INDEXER_USERNAME=admin

- INDEXER_PASSWORD=SecretPassword

- FILEBEAT_SSL_VERIFICATION_MODE=full

- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem

- SSL_CERTIFICATE=/etc/ssl/filebeat.pem

- SSL_KEY=/etc/ssl/filebeat.key

- API_USERNAME=wazuh-wui

- API_PASSWORD=MyS3cr37P450r.*-

volumes:

- wazuh_api_configuration:/var/ossec/api/configuration

- wazuh_etc:/var/ossec/etc

- wazuh_logs:/var/ossec/logs

- wazuh_queue:/var/ossec/queue

- wazuh_var_multigroups:/var/ossec/var/multigroups

- wazuh_integrations:/var/ossec/integrations

- wazuh_active_response:/var/ossec/active-response/bin

- wazuh_agentless:/var/ossec/agentless

- wazuh_wodles:/var/ossec/wodles

- filebeat_etc:/etc/filebeat

- filebeat_var:/var/lib/filebeat

- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem

- ./config/wazuh_indexer_ssl_certs/xdr04-dashboard.pem:/etc/ssl/filebeat.pem

- ./config/wazuh_indexer_ssl_certs/xdr04-dashboard-key.pem:/etc/ssl/filebeat.key

- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

wazuh.indexer:

image: wazuh/wazuh-indexer:4.10.1

hostname: xdr06-indexer

restart: always

ports:

- "9200:9200"

environment:

- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"

ulimits:

memlock:

soft: -1

hard: -1

nofile:

soft: 65536

hard: 65536

volumes:

- wazuh-indexer-data:/var/lib/wazuh-indexer

- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem

- ./config/wazuh_indexer_ssl_certs/xdr04-dashboard-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key

- ./config/wazuh_indexer_ssl_certs/xdr04-dashboard.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem

- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem

- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem

- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml

- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

wazuh.dashboard:

image: wazuh/wazuh-dashboard:4.10.1

hostname: xdr06-dashboard

restart: always

ports:

- 443:5601

environment:

- INDEXER_USERNAME=admin

- INDEXER_PASSWORD=SecretPassword

- WAZUH_API_URL=https://xdr06-manager

- DASHBOARD_USERNAME=kibanaserver

- DASHBOARD_PASSWORD=kibanaserver

- API_USERNAME=wazuh-wui

- API_PASSWORD=MyS3cr37P450r.*-

volumes:

- ./config/wazuh_indexer_ssl_certs/xdr04-dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem

- ./config/wazuh_indexer_ssl_certs/xdr04-dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem

- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem

- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml

- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config

- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom

depends_on:

- wazuh.indexer

links:

- wazuh.indexer:wazuh.indexer

- wazuh.manager:wazuh.manager

volumes:

wazuh_api_configuration:

wazuh_etc:

wazuh_logs:

wazuh_queue:

wazuh_var_multigroups:

wazuh_integrations:

wazuh_active_response:

wazuh_agentless:

wazuh_wodles:

filebeat_etc:

filebeat_var:

wazuh-indexer-data:

wazuh-dashboard-config:

wazuh-dashboard-custom:

### =============================================================================================================== ###

root@xdr06:/srv/wazuh-docker/single-node# cat config/certs.yml

nodes:

# Wazuh indexer nodes

indexer:

- name: xdr04-indexer

ip: 10.1.170.146

- name: xdr05-indexer

ip: 10.1.170.147

- name: xdr06-indexer

ip: 10.1.170.148

# Wazuh server nodes

server:

- name: xdr04-server

ip: 10.1.170.146

node_type: master

- name: xdr05-server

ip: 10.1.170.147

node_type: worker

- name: xdr06-server

ip: 10.1.170.148

node_type: worker

# Wazuh dashboard nodes

dashboard:

- name: xdr04-dashboard

ip: 10.1.170.146

- name: xdr05-dashboard

ip: 10.1.170.147

- name: xdr06-dashboard

ip: 10.1.170.148

### =============================================================================================================== ###

root@xdr06:/srv/wazuh-docker/single-node# docker compose -f generate-indexer-certs.yml run --rm generator

[+] Creating 1/1

✔ Network single-node_default Created 0.1s

[+] Running 5/5

✔ generator Pulled 5.3s

✔ 17d0386c2fff Pull complete 2.6s

✔ 7ce91ec7d1d3 Pull complete 3.6s

✔ 5249716d429c Pull complete 3.6s

✔ d7003467fd14 Pull complete 3.7s

The tool to create the certificates exists in the in Packages bucket

03/02/2025 11:10:00 INFO: Generating the root certificate.

03/02/2025 11:10:00 INFO: Generating Admin certificates.

03/02/2025 11:10:00 INFO: Admin certificates created.

03/02/2025 11:10:00 INFO: Generating Wazuh indexer certificates.

03/02/2025 11:10:01 INFO: Wazuh indexer certificates created.

03/02/2025 11:10:01 INFO: Generating Filebeat certificates.

03/02/2025 11:10:01 INFO: Wazuh Filebeat certificates created.

03/02/2025 11:10:01 INFO: Generating Wazuh dashboard certificates.

03/02/2025 11:10:01 INFO: Wazuh dashboard certificates created.

Moving created certificates to the destination directory

Changing certificate permissions

Setting UID indexer and dashboard

Setting UID for wazuh manager and worker

### =============================================================================================================== ###

root@xdr06:/srv/wazuh-docker/single-node# ls -la config/wazuh_indexer_ssl_certs/

total 104

dr-x------ 2 root root 4096 Feb 3 11:10 .

drwxr-xr-x 6 root root 4096 Feb 3 11:09 ..

-r-------- 1 1000 1000 1704 Feb 3 11:10 admin-key.pem

-r-------- 1 1000 1000 1119 Feb 3 11:10 admin.pem

-r-------- 1 dnsmasq systemd-journal 1704 Feb 3 11:10 root-ca-manager.key

-r-------- 1 dnsmasq systemd-journal 1204 Feb 3 11:10 root-ca-manager.pem

-r-------- 1 1000 1000 1704 Feb 3 11:10 root-ca.key

-r-------- 1 1000 1000 1204 Feb 3 11:10 root-ca.pem

-r-------- 1 1000 1000 1704 Feb 3 11:10 xdr04-dashboard-key.pem

-r-------- 1 1000 1000 1245 Feb 3 11:10 xdr04-dashboard.pem

-r-------- 1 1000 1000 1708 Feb 3 11:10 xdr04-indexer-key.pem

-r-------- 1 1000 1000 1245 Feb 3 11:10 xdr04-indexer.pem

-r-------- 1 dnsmasq systemd-journal 1704 Feb 3 11:10 xdr04-server-key.pem

-r-------- 1 dnsmasq systemd-journal 1241 Feb 3 11:10 xdr04-server.pem

-r-------- 1 1000 1000 1704 Feb 3 11:10 xdr05-dashboard-key.pem

-r-------- 1 1000 1000 1245 Feb 3 11:10 xdr05-dashboard.pem

-r-------- 1 1000 1000 1704 Feb 3 11:10 xdr05-indexer-key.pem

-r-------- 1 1000 1000 1245 Feb 3 11:10 xdr05-indexer.pem

-r-------- 1 dnsmasq systemd-journal 1704 Feb 3 11:10 xdr05-server-key.pem

-r-------- 1 dnsmasq systemd-journal 1241 Feb 3 11:10 xdr05-server.pem

-r-------- 1 1000 1000 1704 Feb 3 11:10 xdr06-dashboard-key.pem

-r-------- 1 1000 1000 1245 Feb 3 11:10 xdr06-dashboard.pem

-r-------- 1 1000 1000 1704 Feb 3 11:10 xdr06-indexer-key.pem

-r-------- 1 1000 1000 1245 Feb 3 11:10 xdr06-indexer.pem

-r-------- 1 dnsmasq systemd-journal 1704 Feb 3 11:10 xdr06-server-key.pem

-r-------- 1 dnsmasq systemd-journal 1241 Feb 3 11:10 xdr06-server.pem

### =============================================================================================================== ###

root@xdr06:/srv/wazuh-docker/single-node# openssl x509 -in config/wazuh_indexer_ssl_certs/xdr06-server.pem -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

79:ab:15:df:07:77:58:d9:0c:4c:37:49:a8:0e:33:1a:e3:c8:9e:9d

Signature Algorithm: sha256WithRSAEncryption

Issuer: OU = Wazuh, O = Wazuh, L = California

Validity

Not Before: Feb 3 11:10:01 2025 GMT

Not After : Feb 1 11:10:01 2035 GMT

Subject: C = US, L = California, O = Wazuh, OU = Wazuh, CN = xdr06-server

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:bf:f5:64:e3:70:0a:9b:5c:c8:17:12:d9:a3:fc:

aa:5f:35:2d:39:35:e3:d4:04:d6:fe:f1:f0:c6:68:

af:de:8d:34:91:e3:3f:73:b2:58:4b:46:9e:14:b4:

83:9f:04:d2:69:82:84:18:93:99:86:ed:22:2a:0f:

18:61:9d:4f:07:3b:7e:59:24:76:39:0b:3a:70:bb:

8b:76:d4:75:07:7d:a9:7b:2a:c6:aa:6a:82:e9:4f:

2e:6c:41:09:f8:0e:96:13:13:99:d1:54:53:f0:e3:

9c:08:9a:99:d2:81:b6:61:df:43:d5:67:88:6c:52:

6f:59:34:22:0e:8b:0d:4a:ad:5a:4c:4d:8b:ef:c1:

ed:d4:af:e1:22:1a:7f:ac:e2:ce:fe:fb:0d:1d:04:

0c:7e:d3:d8:34:73:63:04:40:79:d2:6e:a4:61:9e:

42:3a:7a:db:ef:94:4b:7e:44:37:dc:23:04:39:8a:

b8:e1:57:08:0d:5b:6c:cc:ff:b9:7d:58:68:30:9e:

0f:36:13:ac:04:fd:3e:67:cc:73:c3:81:50:04:01:

32:dc:45:24:3d:66:69:43:3e:65:fc:f3:a5:9a:7b:

1d:81:04:e6:5a:ce:ab:10:f1:14:60:1c:2e:4f:c3:

c3:2f:1f:71:7c:35:ab:99:9a:83:c7:4f:37:a8:40:

74:7f

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Authority Key Identifier:

4B:B4:93:42:1D:D7:24:98:42:27:20:28:E2:9A:66:EB:C6:4D:A3:8A

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

X509v3 Subject Alternative Name:

IP Address:10.1.170.148

Signature Algorithm: sha256WithRSAEncryption

Signature Value:

75:60:74:ef:35:a8:e0:df:5f:f1:05:55:02:e7:d8:cb:a6:da:

9d:f6:12:a7:ce:30:31:0f:e6:ee:b5:be:39:0e:6a:ef:9f:5a:

a8:1f:af:79:84:63:a5:7e:df:84:7c:d0:e2:c8:7f:64:1a:0e:

f1:cf:99:b6:50:ca:93:bf:84:29:3b:5c:f3:8d:0e:38:06:b1:

d0:8a:f5:8e:89:82:db:40:0d:99:e3:8a:5f:cd:59:92:05:6e:

80:89:e4:75:67:ff:ff:fe:ca:29:fc:53:81:e5:00:91:31:b3:

be:b7:f9:20:a2:ff:de:d0:45:82:4a:de:93:2b:d3:39:f6:ef:

aa:23:18:0f:6b:c3:14:a2:a0:8e:9a:1a:46:df:62:24:be:07:

69:d8:55:39:42:35:5d:a7:a8:2a:38:9b:14:71:02:40:9e:43:

92:36:65:9b:ea:12:7a:90:b1:16:48:72:7e:a5:fa:b9:3b:17:

98:dd:a7:bf:7e:83:be:74:af:2e:ca:93:88:0e:68:3f:6d:b4:

bb:aa:f9:da:f8:9e:01:fd:bf:15:50:bd:81:9b:a6:86:1e:9c:

4c:72:8d:a0:d9:0e:c1:c8:d2:28:9a:15:0c:3c:1d:42:29:7b:

e6:5e:0f:fc:01:53:e6:aa:f5:9d:fb:61:e8:92:37:b1:44:f1:

bd:8f:21:da

### =============================================================================================================== ###

root@xdr06:/srv/wazuh-docker/single-node# docker compose up

...

wazuh.manager-1 | 2025-02-03T11:20:18.554Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://xdr06-indexer:9200)): Get "https://xdr06-indexer:9200": x509: certificate is not valid for any names, but wanted to match xdr06-indexer

wazuh.manager-1 | 2025-02-03T11:20:18.554Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://xdr06-indexer:9200)) with 3 reconnect attempt(s)

wazuh.manager-1 | 2025-02-03T11:20:18.555Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer

wazuh.manager-1 | 2025-02-03T11:20:18.555Z INFO [publisher] pipeline/retry.go:223 done

wazuh.indexer-1 | [2025-02-03T11:20:18,595][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [wazuh.indexer] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

wazuh.indexer-1 | javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

...

Henadence Anyam

unread,

Feb 3, 2025, 10:46:39 AM2/3/25

to Wazuh | Mailing List

Hi Zoltán Beck,

You don't need to share sensitive information online.

On the Wazuh manager and indexer, you are referencing the xdr04-dashboard.pem certs.
Every Wazuh component should reference its certs.

Kindly check your configs carefully.

Zoltán Beck

unread,

Feb 3, 2025, 10:49:07 AM2/3/25

to Wazuh | Mailing List

Hi,

yes, I saw after I sent, but not that's the problem, I corrected them, but still the error reports that the certificate is wrong, it not conatins the DNS/fqdn but just the IP.

Kind Regards,

Zoltan

Henadence Anyam

unread,

Feb 4, 2025, 7:57:20 AM2/4/25

to Wazuh | Mailing List

Hi Zoltán Beck,

In your Docker compose file under the environment section of the Wazuh manager, your INDEXER_URL is pointing to the hostname instead of the IP address of the Indexer.

environment:

- INDEXER_URL=https://xdr06-indexer:9200

- INDEXER_USERNAME=admin

- INDEXER_PASSWORD=SecretPassword

- FILEBEAT_SSL_VERIFICATION_MODE=full

- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem

- SSL_CERTIFICATE=/etc/ssl/filebeat.pem

- SSL_KEY=/etc/ssl/filebeat.key

- API_USERNAME=wazuh-wui

- API_PASSWORD=MyS3cr37P450r.*-

Same thing is seen under the Wazuh.dashboard section, WAZUH_API_URL=https://xdr06-manager

Kindly use the appropriate IP addresses.

Zoltán Beck

unread,

Feb 5, 2025, 12:15:24 PM2/5/25

to Henadence Anyam, Wazuh | Mailing List

Hi,

thank you for the advices, I followed and looks like now the first node starts well. I made the changes on the second node as well, but now I have an other issue. What is the correct setup of INDEXER_URL and WAZUH_API_URL in the docker-compose.yml?

I tried couple of versions but every time I get an error regarding the host:

INDEXER_URL=https://10.1.170.143: 9200,https://10.1.170.144:9200

INDEXER_URL=https://10.1.170.143: 9200 https://10.1.170.144: 9200

INDEXER_URL="https://10.1.170.143: 9200,https://10.1.170.144: 9200"

INDEXER_URL="https://10.1.170.143: 9200 https://10.1.170.144: 9200"

WAZUH_API_URL=https://10.1.170.143:55000,https://10.1.170.144:55000

WAZUH_API_URL=https://10.1.170.143:55000 https://10.1.170.144:55000

WAZUH_API_URL="https://10.1.170.143:55000,https://10.1.170.144:55000"

WAZUH_API_URL="https://10.1.170.143:55000 https://10.1.170.144:55000”

Kind Regards,

Zoltan

wazuh.manager-1 | 2025-02-05T17:07:17.817Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://[10.1.170.143:9200,https:]:9200//10.1.170.144:9200)): Get "https://[10.1.170.143:9200,https:]:9200//10.1.170.144:9200": lookup 10.1.170.143:9200,https:: no such host

wazuh.manager-1 | 2025-02-05T17:07:17.817Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://[10.1.170.143:9200,https:]:9200//10.1.170.144:9200)) with 3 reconnect attempt(s)

wazuh.manager-1 | 2025-02-05T17:07:17.818Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer

wazuh.manager-1 | 2025-02-05T17:07:17.818Z WARN [transport] transport/tcp.go:52 DNS lookup failure "10.1.170.143:9200,https:": lookup 10.1.170.143:9200,https:: no such host

wazuh.manager-1 | 2025-02-05T17:07:17.818Z INFO [publisher] pipeline/retry.go:223 done

wazuh.manager-1 | 2025/02/05 17:07:19 rootcheck: INFO: Ending rootcheck scan.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Pog8j-DRvDk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/6fa7048e-1a15-46b7-8451-a9bf6d41f79en%40googlegroups.com.

Reply all

Reply to author

Forward