Multi-Node Indexer Additions

[Sam Heuchert]

I currently have a 4-node cluster running in a distributed Wazuh deployment.  I'm hoping to add an additional four nodes to my original four nodes.  What is the process for doing this?

Thanks!

[Luciano Gorza]

Hi Sam, you just add the master's address in the /var/ossec/etc/ossec.conf file of each new worker node and that's it. I leave you these useful documentation links:

• https://documentation.wazuh.com/current/user-manual/configuring-cluster/basics.html#horizontal-scalability
  
• https://documentation.wazuh.com/current/user-manual/configuring-cluster/index.html
  

Hope this helps.

[Sam Heuchert]

Hi Luciano,

Thank you for the information, but I was hoping to glean information of adding to my Wazuh Indexer cluster, not my worker cluster.  Can you assist?

[Luciano Gorza]

Hi Sam, I'm really sorry for the delay, the google group was down for a while...

To add a Wazuh indexer node to an existing cluster, follow the step-by-step installation procedure.
In the certificate creation step, you can use the previous config.yml. A new file can be created if required. Download the file, modify it using the names of the existing nodes, and then add the new node.
Once the new node has been created, configure it to be part of the cluster.
Next, in the Deploying certificates step, deploy only the certificate for the new node, so use the new node name in the variable NODE_NAME=<indexer-node-name>.
Then, reinitialize the cluster.

Best regards,

[Luciano Gorza]

After the steps I mentioned in the last message, y forgot this one:

• After that, add the new indexer node to the Filebeat configuration file, as explained here.