Wazuh Data segregation

[Max]

Hey folks

I wanted to ask if it's possible to achieve a use case where:

There are 2 users (user1 and user2)

Each one has their own dashboards and can only see their own data & dashboard and cannot see the others. (I.e. user1 is to user1 only, etc.)

I would also be adding in multiple users in the future and have their own data associated with these users only.

Also to have the data be separated somewhat, where "user1" data is not in the same log files as "user2" data which I nicknamed "True Data segregation"

I tested recently with RBAC, and it hit the points of only showing certain agents and data tied to these agents labeled as "user1".

But I think with true data segregation from the logs would I need to do an architecture structure that does this: https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/

Also, for more context:
Doing this on Azure and possibly adding in SSO in the mix as well.
additional context is doing these via Kubernetes Clusters

[Awwal Ishiaku]

This is possible, but you can have two different levels of isolation. It could be logical isolation or true data segregation.

Logical isolation is the most common and users will only see their own data and dashboards.
To do this, you need a combination of the following:
- RBAC (roles + role mappings) to restrict access to specific agent groups
- Dashboard tenants to have separate dashboards per user/group

For true data segregation, you can create separate index patterns per tenant (e.g. user1-alerts-*, user2-alerts-*), or fully separate Wazuh clusters per tenant.

So multitenancy is not mandatory in this case. With unique indices, the data is isolated.

Using Kubernetes does not affect the plan.

[Max]

Hi Awwal,

Thanks for this!

Can I ask how would I go about to configure separate index patterns?

Let's say I have a group of agents under the group label named "Customer_A" and another Group "Customer_B"

Would I have to create these indices post deployment on the Wazuh dashboard or should this be done through Helm Chart values?

[Awwal Ishiaku]

Dashboard index patterns are just for viewing and searching data, not for actually separating it.

You need to configure this at the ingestion level after initial deployment.

That means:
- Update index template and index prefix
- Then create matching index patterns in the dashboard

The documentation shared earlier on creating indices may help: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html

The Wazuh manager does not natively route data per agent group into different indices.

So, to truly separate data, you can create a custom pipeline (Filebeat) to log to the indices based on the agent group.

Alternatively, you may need to run separate wazuh manager deployments per customer, and then configure Filebeat on each customer's server to write to the appropriate index.