Cluster Architecture
Sam Heuchert
- I don't see anything in Wazuh documentation about running multiple Dashboard nodes. Can you advise if two Dashboard nodes are possible? If it's possible, am I able to access any of the Dashboards to view my data?
- I have designed my indexer nodes to communicate over a rather unstable IPSEC brach office VPN tunnel. My workaround was having dual nodes at each location to account for outages or latency. Is this recommended? Do Indexer nodes have to be connected with high speed storage?
- Should one node fail (say, one of my Workers), I will restore from backups. However, I'm concerned about scaling up in the future if I need more worker or indexer nodes. Is it easy to add another worker or indexer after I create the initial install? Can you point me to documentation?
Pablo Ariel Gonzalez
Pablo Ariel Gonzalez
Hi Sam:
Architecture designing is always a labor-intensive process and it is necessary to take into account different requirements. Therefore, if you have any additional questions or a point that is not clear enough, we can continue analyzing it. I share below information about each of your queries.
I don't see anything in Wazuh documentation about running multiple Dashboard nodes. Can you advise if two Dashboard nodes are possible? If it's possible, am I able to access any of the Dashboards to view my data?
Although the architecture does not yet contemplate multiple nodes for this component, if you consider it necessary, you could perform more than one installation of the same component to have it redundant. To use these nodes, you must at least be able to share the /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/ directory where reports are stored between all Wazuh Dashboard installations you have. For this, you can use a shared storage service like NAS, SAN, EFS, etc (depending on your environment).
I have designed my indexer nodes to communicate over a rather unstable IPSEC brach office VPN tunnel. My workaround was having dual nodes at each location to account for outages or latency. Is this recommended? Do Indexer nodes have to be connected with high speed storage?
Wazuh's current architecture is designed to work on the same site, not in different physical locations. Precisely one of the biggest drawbacks is the latency in this type of deployment. It is for this reason that we recommend implementing Wazuh installations at each site if necessary.
Note that the agents communicate with the Wazuh manager nodes and these with the indexer nodes. In addition, the agents have a cache to retain events in case of interruptions or higher latency.
So if you want to make sure you don't miss events, you can work with this cache and have the indexer and wazuh nodes hosted on the same site or at your head office.
Although using a VPN can provide greater security, and in some cases is a requirement, this architecture does not need it. Allows you to use the Internet directly to connect to your agents since the Wazuh messages protocol uses AES encryption by default, with 128 bits per block and 256-bit keys. Blowfish encryption is optional.
Should one node fail (say, one of my Workers), I will restore from backups. However, I'm concerned about scaling up in the future if I need more worker or indexer nodes. Is it easy to add another worker or indexer after I create the initial install? Can you point me to documentation?
Wazuh's cluster design aims to make scaling as simple and fast as possible. Therefore, you could replace the master node or grow the worker nodes without any problem in the future. To do this you can follow the installation documentation for the components of wazuh server nodes or wazuh indexer.
If you have any other questions or if we can clarify any particular point, do not hesitate to contact us again.
Thanks,