Wazuh cluster for high availability

[Nepolean]

Hi team,

I have a setup with 2 wazuh indexers, 2 wazuh servers and 1 wazuh dashboard. I have configured it using the installation guide in wazuh documentation(using assistant). In addition to it I have server where nginx is installed which will act as a load balancer. My agent is given the IP of load balancer. I am able to see it is connected in the dashboard. 

  The problem is when I switch off the server master node, my set is not working. Then my dashboard will say API is not available. Is this an expected behaviuor or will there any mistake in my load balancer configuration? What you people think?

Thanks

Nepolean

[Nepolean]

When I tested it again, load balancing is actually happening. I could see my agent changing the connection when each nodes are switched off. The problem is, my dashboard says api is not available when the master node is powered off.

[Jeremias Ignacio Posse]

Hi Nepolean, hope you'r doing well, based on what are you telling me

If your Wazuh set up is not working when you switch off the master node, then it is likely that there is a problem with your load balancer configuration.

When you switch off the master node, the load balancer should automatically route traffic to the other node. However, if the load balancer is not configured properly, it may not be able to detect that the master node is down and may continue to route traffic to that node, causing the API to be unavailable.

To troubleshoot this issue, you can check the logs for your load balancer to see if it is properly detecting the master node going down and routing traffic to the other node. You can also check the logs for your Wazuh servers to see if there are any errors related to the API being unavailable.

It is also important to ensure that your load balancer is configured to balance the traffic evenly between your two Wazuh servers. If the load balancer is not configured properly, it may be sending too much traffic to one server and not enough to the other, causing performance issues.

Overall, it is not expected behavior for your Wazuh set up to be unavailable when one node goes down, so there may be an issue with your load balancer configuration that needs to be addressed.

If you continue to experience issues, please let us know and we can assist further. Best regards, the Wazuh Cloud team.

[Nepolean]

Thanks  Jeremias Ignacio Posse for the reply. My load balancer is switching the nodes when one server is down. I could see that in agent logs. When 

my master is down agent is first disconnected from that server and then automatically connects to the other. But my issue is with the dashboard.

It refused to show up as it says API connection is unavailable. I found a thread where someone from wazuh has acknowledged this saying that

server master is the one which handles the distributed API and It cannot be down. Here is the link. Please clarify on this. I am a bit confused now.

[Nepolean]

Hi all, I have done some more testing and it is seen that when server master is down, I could see the alerts on the security events dashboard as it is possible to refresh just the dashboard. But when I reload the page itself, errors will be shown as API is not available.

[Jeremias Ignacio Posse]

Hi Nepolean, sorry for the long delay yes you're right The Wazuh master node is essential for the operation of the Wazuh service. Wazuh supports only one master node, and it cannot be assigned to any other node. If the master node is offline, some services may become unavailable, including the Wazuh application running in Kibana (Wazuh Dashboard).

It's important to note that the lack of access to the Wazuh Dashboard does not affect the operation of the agents, which will continue to report to the worker nodes that have been load-balanced with NGINX. However, it's critical to ensure high availability of the master node to ensure that the Wazuh Dashboard application is always available and can be used for managing the security system

Sorry for any inconvenience this may cause you, thank you for using Wazuh!

[Nepolean]

Thank you for the clarification