Best approach to managing Wazuh in AWS
377 views
Skip to first unread message
Romel
Aug 28, 2023, 2:45:38 AM8/28/23
to Wazuh | Mailing List
Hello!
I have a general question in regards to deploying Wazuh for a company but want to get an idea of the best approach when it comes to AWS.
Is using AWS OpenSearch service the best way of managing the Wazuh Indexer, Dashboard, and Server while the Wazuh agents are placed on our EC2 instances, or is it better to have it hosted in K8s? (We have everything hosted in K8s.)
My ideal approach would deploy Wazuh agents to our EC2 instances and focus on the alerts while AWS manages the OpenSearch server.
Thanks for the help!
Daniel Folch
Aug 28, 2023, 4:31:54 AM8/28/23
to Wazuh | Mailing List
Hello,
To monitor multiple EC2 instances like you said I would install an agent on each instance.
For the manager, you have multiple options:
1. Use the AMI provided by Wazuh which already contains the Wazuh manager, indexer, and dashboard. Check this for more information:
2. Deploy an EKS cluster using the utilities on the wazuh-kubernetes repository, this option also contains the Wazuh manager, indexer, and dashboard. Check this for more information:
https://documentation.wazuh.com/current/deployment-options/deploying-with-kubernetes/kubernetes-deployment.html
https://documentation.wazuh.com/current/deployment-options/deploying-with-kubernetes/kubernetes-deployment.html
3. You can create one or more instances and deploy the Wazuh manager in a single node installation or on a cluster depending on your needs, and use Logstash or Filebeat to send the information your OpenSearch cluster. Here you have some documentation about this:
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
https://documentation.wazuh.com/current/integrations-guide/opensearch/index.html
If you want to use an already existing OpenSearch cluster I would go with option 3.
Hope you found this information useful.
Regards,
Daniel F
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
https://documentation.wazuh.com/current/integrations-guide/opensearch/index.html
If you want to use an already existing OpenSearch cluster I would go with option 3.
Hope you found this information useful.
Regards,
Daniel F
Romel
Aug 28, 2023, 10:32:29 PM8/28/23
to Wazuh | Mailing List
Thank you for the response. We don't have an existing AWS OpenSearch being run. Would you say it's much easier to run Wazuh and have 1 year retention of the files on AWS EKS with persistent storage?
Thanks
Daniel Folch
Sep 26, 2023, 6:12:44 AM9/26/23
to Wazuh | Mailing List
Hello,
Sorry for the late response, using EKS to deploy your manager, indexer, and dashboard is a good option for AWS management as it allows scalability.
Sorry for the late response, using EKS to deploy your manager, indexer, and dashboard is a good option for AWS management as it allows scalability.
One year of persistent storage should be enough but it will depend on the needs of your deployment such as compliances and the like.
Regards.
Reply all
Reply to author
Forward
0 new messages