Wazuh Architecture

75 views
Skip to first unread message

Aravind Raja

unread,
Mar 22, 2024, 1:45:16 AM3/22/24
to Wazuh | Mailing List
Hi Team,

I have a requirement of around 5000 endpoints with Wazuh SIEM, so I have planned as following,

Nginx LB=192.168.20.20

sevrer1=192.168.20.11
server2=192.168.20.12
server3=192.168.20.13
server4=192.168.20.14

indexer1=192.168.20.15
indexer2=192.168.20.16
indexer3=192.168.20.17
indexer4=192.168.20.18

dashboard=192.168.20.19

I have placed the load balancer in between the endpoints and server nodes, Do I need to place another load balancer in between server nodes and indexer node?

I have attached a sample architecture of mine, please clear me on this.

Thanks in advance
wazuhtest.png

Commercial League

unread,
Mar 22, 2024, 7:34:38 AM3/22/24
to Wazuh | Mailing List
Hi, 

I suppose that you do not need load balancer for the indexer nodes. They internally form some kind of cluster and copy contents on multiple nodes.

I would like to share some tips regarding nginx load balancer: for 5k agents you will need to change the default settings for both max connections and open files for the user which nginx uses. Also I suggest to make some kind of high availability configuration because the load balancer is single point of failure for the whole system.

Kind regards,
Nikolay

Abdullah Al Rafi Fahim

unread,
Mar 25, 2024, 5:13:52 AM3/25/24
to Wazuh | Mailing List
Hello Aravind,

Thank you for using Wazuh!

You only need to place Load Balancer only before the Wazuh Manager nodes to ensure proper load balancing for the endpoints (agents). For Wazuh server to Wazuh Indexer communication, the Wazuh servers use Filebeat to send alerts and event data to the Wazuh indexer nodes, using TLS encryption. Filebeat reads the Wazuh server output data and sends it to the Wazuh indexer nodes (by default listening on port 9200/TCP). The Wazuh Indexer nodes in a cluster maintains proper balancing and replication of the indices by themselves. Therefore no load balancer is needed between the wazuh server and wazuh indexer nodes. Reference: https://documentation.wazuh.com/current/getting-started/architecture.html

Rather you need to configure filebeat in every wazuh server nodes to connect and communicate with all the wazuh indexer nodes by adding them as hosts in the filebeat.yml file.  Reference: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat

I hope it helps. Please let us know if you have any further query here.

Hatem

unread,
Mar 25, 2024, 6:16:07 AM3/25/24
to Aravind Raja, Wazuh | Mailing List
Keep us posted.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/974225e0-757c-4be7-80e8-0b34f72388acn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages