Cluster disabled after upgrade in single-node configuration

[Alex Mañez]

Hi everyone:

I need a little help to understand if my WAZUH is working well. I would appreciate any helpful comments.

Recently, we have upgraded an installation of WAZUH (OVA Single-node) from version 4.3 to 4.5 The result seemed OK.

Before upgrading I had had problems with the indexes and the number of shards. At that time it was possible for me to execute things like:

 GET /_cluster/health?pretty

 To understand the problem and fix it.

 Now after the update, I think the API has changed and I have tried things like:

 GET /cluster/healthcheck

 But I get errors like:

{
  "error": "3013",
  "message": {
    "title": "Bad Request",
    "detail": "Cluster is not running, it might be disabled in `WAZUH_HOME/etc/ossec.conf`",
    "remediation": "Please, visit the official documentation (https://documentation.wazuh.com/4.5/user-manual/configuring-cluster/index.html) to get more information about how to configure a cluster",
    "error": 3013
  }
}

I have tried to activate the cluster by changing the ossec.conf file from:

 <cluster> ... <disabled>yes</disabled> ... </cluster>

to:

<cluster> ... <disabled>no</disabled> ... </cluster>

And when i restart the manager, configuration errors appear.

 Is my Wazuh in a wrong state?

Is it normal that in version 4.5 in single-node, the cluster is no longer enabled?

 In that case, how do I use the API to control the status of the shards for example? 

(Sorry for the long question)

Thanks

Alex

[Olusegun Adenrele Oyebo]

Hello Alex,

First of all, thank you for using Wazuh.

Since you're using Wazuh OVA which is an all-one-architecture (one Wazuh indexer, manager and dashboard) you don't need to enable cluster. Enabling the cluster comes into play when you want to have more than one Wazuh manager and that is where the concept of master and worker node comes into the picture.

If you want to troubleshoot anything related to your Wazuh indexer, you can check the logs by running the command cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" on your Wazuh indexer server. Also if you want to check the health or status of your Wazuh indexer node, kindly run the below command on your Wazuh indexer server:

• curl -X GET "https://127.0.0.1:9200/_cat/health?v" -u <username>:<password> -k replace <username>:<password> with the username and password of the indexer user. By default it's wazuh:wazuh though we recommend changing the default password.

I hope this provided clarity. Do not hesitate to reach out again if you need any other thing.

Best regards.

[Alex Mañez]

Okay I'm sorry for wasting your time.

 I just realized that the request like:

 GET /_cluster/health?pretty 

It is possible to run in Wazuh Dashboard - Managment - Dev Tool.

I was confused with the API Console and thought the API had changed somehow.

 I'm sorry again and I would like to congratulate you for the fantastic work you do with Wazuh.

Thanks

El domingo, 29 de octubre de 2023 a las 19:47:08 UTC+1, Alex Mañez escribió:

Thanks for your answer.

How do I execute a request similar to the one you propose:

curl -X GET "https://127.0.0.1:9200/_cat/health?v" -u <username>:<password> -k

But from Wazuh Dashboards - Tools - API console??

Thanks

[Olusegun Adenrele Oyebo]

Hello Alex,

Thanks for the compliments. It means a lot to us. Also note that we remain attentive to your requests and feedbacks as it is a medium we use to continually improve on the project.

Do not hesitate to reach out to us again if you need any other thing.

Best regards.