Wazuh cluster multi client setup
298 views
Skip to first unread message
Rafał Przybysz
May 15, 2024, 7:49:38 AM5/15/24
to Wazuh | Mailing List
Hello everyone,
I am planning to deploy a Wazuh cluster to act as a SIEM for multiple clients, and I would like to achieve the following setup and functionality:
Separate Data Storage for Clients: I want to store alerts from different clients in separate indices for enhanced security and data isolation. This will help ensure that each client’s data remains segregated.
Custom Index Retention Policies: I need to apply different retention policies to each client's data. My understanding is that having separate indices will allow me to manage these policies independently for each client.
Client-Specific Index Snapshots: I want to be able to create index snapshots for specific clients, which seems feasible only if each client has their own set of indices.
Proposed Setup:
Each location will have a local Wazuh Manager and Syslog server. The Syslog server collects logs from network devices, labels them, and forwards them to the local Wazuh Manager. The local Wazuh Manager also collects data from servers in that location.
These local Wazuh Managers will then forward logs to a central Wazuh Manager located at the main site, which consists of one master manager node, one worker manager node, a Wazuh dashboard, and a multi-node indexer (OpenSearch).
Questions:
Is this Setup Feasible? Can I configure local Wazuh Managers to forward logs to a central Wazuh Manager while maintaining the data integrity and performance?
Separate Indices for Different Clients: Is it possible to save alerts from different clients in separate indices in Wazuh (OpenSearch)? How can I achieve this configuration using Logstash or any other recommended method?
Alternative Solutions: If separate indices for each client are not possible or recommended, what are the best practices to achieve data separation, custom retention policies, and client-specific snapshots?
Thank you for your assistance!
I am planning to deploy a Wazuh cluster to act as a SIEM for multiple clients, and I would like to achieve the following setup and functionality:
Separate Data Storage for Clients: I want to store alerts from different clients in separate indices for enhanced security and data isolation. This will help ensure that each client’s data remains segregated.
Custom Index Retention Policies: I need to apply different retention policies to each client's data. My understanding is that having separate indices will allow me to manage these policies independently for each client.
Client-Specific Index Snapshots: I want to be able to create index snapshots for specific clients, which seems feasible only if each client has their own set of indices.
Proposed Setup:
Each location will have a local Wazuh Manager and Syslog server. The Syslog server collects logs from network devices, labels them, and forwards them to the local Wazuh Manager. The local Wazuh Manager also collects data from servers in that location.
These local Wazuh Managers will then forward logs to a central Wazuh Manager located at the main site, which consists of one master manager node, one worker manager node, a Wazuh dashboard, and a multi-node indexer (OpenSearch).
Questions:
Is this Setup Feasible? Can I configure local Wazuh Managers to forward logs to a central Wazuh Manager while maintaining the data integrity and performance?
Separate Indices for Different Clients: Is it possible to save alerts from different clients in separate indices in Wazuh (OpenSearch)? How can I achieve this configuration using Logstash or any other recommended method?
Alternative Solutions: If separate indices for each client are not possible or recommended, what are the best practices to achieve data separation, custom retention policies, and client-specific snapshots?
Thank you for your assistance!
Ariel Maximiliano Martin
May 15, 2024, 8:37:52 AM5/15/24
to Wazuh | Mailing List
Hello Rafał,
Let me look into this matter and I will get back to you as soon as possible.
Thanks!Ariel Maximiliano Martin
May 17, 2024, 4:41:09 AM5/17/24
to Wazuh | Mailing List
Hi Rafał!
While the solution you propose is feasible, our cloud team advises against forwarding the logs because the filebeat transfer between remote endpoints might cause some issues.
The advised solution would be to utilize CCS (Cross Cluster Search), that is to have a full Wazuh server (Manager, Indexer and optionally Dashboard) in each remote site
and to setup a central Wazuh Indexer/Dashboard to conduct searches in the remote sites. This way you will be able to visualize data of all remote sites from a centralized
console while having snapshots for each client and separate ISM since there is a cluster in each remote site.
More info on CCS:
I hope this information is useful. Let us know if you need anything else.
Reply all
Reply to author
Forward
0 new messages