Wazuh Cluster Filebeat on worker can't reach master
79 views
Skip to first unread message
Etienne Coutenceau
Apr 8, 2022, 8:11:00 AM4/8/22
to Wazuh mailing list
Hello,
I am trying to install a wazuh cluster. I succeed to fuse the 2 managers in a cluster but I don't receive the alerts. I suppose it comes from filebeat with filebeat test output being :
I configured the instance.yml as followed and have executed node_name=filebeat :
My filebeat configuration is :
I use the same certificate that have been generated for filebeat during the master installation.
The master active connection table for port 9200 is giving : 'tcp6 127.0.0.1:9200 :::* LISTEN java
Thank you in advance for your help.
Alexander Bohorquez
Apr 8, 2022, 10:56:36 AM4/8/22
to Wazuh mailing list
Hello Etienne,
Thank you for using Wazuh!
I'll need more information to help you in this case,
Did you follow our guide for distributed deployments? https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/index.html
How many nodes do you have? 1 Elasticsearch node and 2 Wazuh managers nodes? 3 in total?
When generating the certificates. Based on our guide: "Edit ~/instances.yml and replace the values <node-name> and node-IP with the corresponding names and IP addresses":
# Elasticsearch nodes
elasticsearch-nodes:
- name: <node-name>
ip:
- node-IP
# Wazuh server nodes
wazuh-servers:
- name: <node-name>
ip:
- node-IP
# Kibana node
kibana:
- name: <node-name>
ip:
- node-IP
You can add as many nodes fields as needed. Example:
# Elasticsearch nodes
elasticsearch-nodes:
- name: node-1
ip:
- 192.168.0.21
# Wazuh server nodes
wazuh-servers:
- name: node1-wazuh
ip:
- 192.168.0.22
- name: node2-wazuh
ip:
- 192.168.0.23
# Kibana node
kibana:
- name: kibana
ip:
- 192.168.0.24
Thank you for using Wazuh!
I'll need more information to help you in this case,
Did you follow our guide for distributed deployments? https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/index.html
How many nodes do you have? 1 Elasticsearch node and 2 Wazuh managers nodes? 3 in total?
When generating the certificates. Based on our guide: "Edit ~/instances.yml and replace the values <node-name> and node-IP with the corresponding names and IP addresses":
# Elasticsearch nodes
elasticsearch-nodes:
- name: <node-name>
ip:
- node-IP
# Wazuh server nodes
wazuh-servers:
- name: <node-name>
ip:
- node-IP
# Kibana node
kibana:
- name: <node-name>
ip:
- node-IP
You can add as many nodes fields as needed. Example:
# Elasticsearch nodes
elasticsearch-nodes:
- name: node-1
ip:
- 192.168.0.21
# Wazuh server nodes
wazuh-servers:
- name: node1-wazuh
ip:
- 192.168.0.22
- name: node2-wazuh
ip:
- 192.168.0.23
# Kibana node
kibana:
- name: kibana
ip:
- 192.168.0.24
In this case, if you have multiple Wazuh manager nodes you could use multiple node fileds in the instances.yml file.
On the other hand, when configuring filebeat in the output.elasticsearch option you should use the IP address of your Elasticsearch node. Reference: https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/wazuh-cluster/wazuh-multi-node-cluster.html#installing-filebeat
Make sure you can reach your Elasticsearch server through port 9200 using the IP address. For this, you could use telnet. Example:
telnet 192.168.74.174 9200
I hope this information helps. Please let me know how it goes.
On the other hand, when configuring filebeat in the output.elasticsearch option you should use the IP address of your Elasticsearch node. Reference: https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/wazuh-cluster/wazuh-multi-node-cluster.html#installing-filebeat
Make sure you can reach your Elasticsearch server through port 9200 using the IP address. For this, you could use telnet. Example:
telnet 192.168.74.174 9200
I hope this information helps. Please let me know how it goes.
Reply all
Reply to author
Forward
0 new messages