Multi wazuh servers single central kibana
260 views
Skip to first unread message
Andrea Consadori
Apr 16, 2021, 1:08:56 PM4/16/21
to Wazuh mailing list
Hi, I read several post about kibana multi tenancy and I’m wondering if it’s possible a config like this:
Wazuh sever 1
Elastic 1
Kibana 1
Wazuh server 2
Elastic 2
Kibana 2
Not in cluster, wazuh1 write on elastic1 and kibana point to elastic 1, same form group2
Now if I install a kibana 3 and I map wazuh serve 1 and 2 I can see the sum of the events?
I can change rules and so on?
Will the wazuh plugin will be multiserve or only the kibana?
I can modify wazuh rules form local and remote kibana?
In future if I’ve to upgrade I’ve to stop all or newest version are back compatible and allow me gradual remote node upgrade?
Thanks for clarifying
Andrea Consadori
Franco Charriol
Apr 16, 2021, 5:47:33 PM4/16/21
to Wazuh mailing list
Hi Andrea,
I'll try to answer all your questions. But first I have a doubt about this
-> I read several post about kibana multi tenancy
Given the rest of your question, I assume that you mean multi-tenancy as the capability of using the same Kibana services connected with different sources (Elasticserach instances).
Regarding your question I’m wondering if it’s possible a config like this: , this feature will allow you to use Cross-cluster replications to replicate indices across clusters.
But for Now if I install a kibana 3 and I map wazuh serve 1 and 2 I can see the sum of the events? you should use a third Elasticsearch. Then connect your Kibana3.
--
Will the wazuh plugin will be multiserve or only the kibana?
In your Kibana3 you should config both Wazuh API (from each Wazuh manager) instances in the Wazuh app config file /usr/share/kibana/data/wazuh/config/wazuh.yml
Then, you'll able to use the Wazuh app to work with both managers.
Given this configuration, you should take care of the name of your Wazuh clusters to avoid issues with the cross indices.
An alternative is using multiple instances of Filebeat, that is how in care about send the alerts to elasticsearch, sending the alerts to Elastic1 and Elastic3 for example.
If do you mean Wazuh rules from Ruleset, it only would be applied to the manager that are you configuring. You would need to reply to this change for all your environments.
Same for any configurations for the Elastic/Kibana cluster instances.
--
Please let me know if I'm wrong with the interpretation of any of your questions or if you have any other doubt.
Surely you need more deep info about some of these points, please let me know too.
Best
I'll try to answer all your questions. But first I have a doubt about this
-> I read several post about kibana multi tenancy
Given the rest of your question, I assume that you mean multi-tenancy as the capability of using the same Kibana services connected with different sources (Elasticserach instances).
But I wonder if you mean multi-tenancy as this https://aws.amazon.com/blogs/opensource/multi-tenant-kibana-open-distro-for-elasticsearch/, that would allow you to separate your Kibana and Elastic cluster in different workspaces using the same Kibana1 and Elastic1.
I highly recommend this approach rather than using multiple instances of entire environments if this meets your needs. Please let me know.
I highly recommend this approach rather than using multiple instances of entire environments if this meets your needs. Please let me know.
--
Well, in the firts case I think this is not literally supported by Kibana, but there is a feature that may be could be helpful, Remotes clusters you can read about it here.
Regarding your question I’m wondering if it’s possible a config like this: , this feature will allow you to use Cross-cluster replications to replicate indices across clusters.
But for Now if I install a kibana 3 and I map wazuh serve 1 and 2 I can see the sum of the events? you should use a third Elasticsearch. Then connect your Kibana3.
--
Will the wazuh plugin will be multiserve or only the kibana?
Then, you'll able to use the Wazuh app to work with both managers.
Given this configuration, you should take care of the name of your Wazuh clusters to avoid issues with the cross indices.
An alternative is using multiple instances of Filebeat, that is how in care about send the alerts to elasticsearch, sending the alerts to Elastic1 and Elastic3 for example.
A simple reference, please let me know if you need more info about this.
--
Not in cluster, wazuh1 write on elastic1 and kibana point to elastic 1, same form group2
Regarding installing 2 different instances for all the
environments it's totally
possible, I recommend doing it in different hosts (docker or machines)
to avoid performance issues.
But you need some of the above configurations to cross your indices or alerts to the Kibana3.
--
I can change rules and so on? I can modify wazuh rules from local and remote kibana?But you need some of the above configurations to cross your indices or alerts to the Kibana3.
--
If do you mean Wazuh rules from Ruleset, it only would be applied to the manager that are you configuring. You would need to reply to this change for all your environments.
Same for any configurations for the Elastic/Kibana cluster instances.
--
In future if I’ve to upgrade I’ve to stop all or newest version are back compatible and allow me gradual remote node upgrade?
It depends on the changes included in the newest version, if there are some breaking changes it could be necessary to upgrade all the nodes to avoid issues. Spacially if you use cross-cluster replications due to the possible incompatibilities between indices and Elastic versions.
Please let me know if I'm wrong with the interpretation of any of your questions or if you have any other doubt.
Surely you need more deep info about some of these points, please let me know too.
Best
Andrea Consadori
Apr 17, 2021, 1:12:26 AM4/17/21
to Wazuh mailing list
Thanks Franco,
apologize if i use wrong terms.
i'm trying this config:
Kibana-master --> configured also remote api
Wazuh-master
ELastic-master
kibana-remote
wazuh-remote
elastic-remote
1- configured in master kibana yml the additional remote kibana address (working)
2- connected from master to remote switching the id in the bottom (working)
3- configured on remote ossec.conf wazuh the remote output to send to master wazuh (working)
4- if from master kibana i select remote node i can manage configuration, create agent and so on, the only strange behaviour i see is data that modules shows me
if i select from master remote node and then security events module i'll see local security events
if i connect directly on kibana's remote node and i select security events i see what i expect.
this is because only the wazuh plugin is configured and not kibana and the security module is a sort of kibana view and not wazuh view?
thanks
Andrea Consadori
Apr 17, 2021, 1:15:58 AM4/17/21
to Wazuh mailing list
and yes, maybe is more a federation than a multi-tenant configuration
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/9m_r-_mRZd0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/09d3d959-747d-4b7c-8405-0337636dfec6n%40googlegroups.com.
Franco Charriol
Apr 19, 2021, 5:07:33 PM4/19/21
to Wazuh mailing list
Hi Andrea,
thanks for the info.
if i select from master remote node and then security events module i'll see local security events
I think it could be not possible because setting a remote source only allow to use of cross-cluster searching see here, that is why Wazuh only shows the local indices data.
Maybe with auto-follow pattern from cross-cluster replication, you would be able to replicate the remote indices and then see them as locals too.
If you try this approach please let me know if you need some help.
I will try to reproduce it in the next few days and will be back with more help.
Best.
thanks for the info.
if i select from master remote node and then security events module i'll see local security events
Maybe with auto-follow pattern from cross-cluster replication, you would be able to replicate the remote indices and then see them as locals too.
If you try this approach please let me know if you need some help.
I will try to reproduce it in the next few days and will be back with more help.
Best.
Reply all
Reply to author
Forward
0 new messages