Wazuh | Health Check | Application | Automation

[John Carry]

Hello Team,

Is there any Application we can use/integrate to automate the health check activities by simply visualizing a Health Based Dashboard?

Basically I am looking forward for any Health Check mechanism that many others SIEM solution uses.

My Deployment Model is Wazuh with ELK Stack Single Node,

[Bin Do Tuan Anh]

Hi, 

There is no out of the box integration with any applications like this. 

But you can use the Wazuh UI to monitor some of the indicators. In the Wazuh menu please go to Management, there you would be able to find the Status and reports section. 

In the Status you will be able to find some basic information of you Wazuh Manager (like version, installation path, operating system etc) as well as the status of the modules they you have. 

In the Cluster page you will be able to find the status of your cluster and connected nodes. 

In the Statistics page there is information about the events (coming, dropped). 

The Logs section will show you the logs of your environment. Be aware that you can use the filter there to easier access the information you need. 

I would also recommend you to check the details of your machines making sure that you have enough of the disk space. And additionally it is good to check this documentation page: https://documentation.wazuh.com/current/user-manual/elasticsearch/elastic-tuning.html

Best regards,

Bin. 

[John Carry]

Hello andre,

Thanks alot for your response and help, I have gone through your entire details and it was helpful. I am facing few issues when I referred the guide for Elastic Tuning:

  Successfully configured below steps:

1.Set bootstrap.memory_lock

2. Edit the limit of system resources:

After making changes as per points 1 and 2, I am not observing expected results after performing step : 3. Limit memory.

Could you please clarify how should I configure two rules to comply below 2 points ?

1)Use no more than 50% of available RAM.

2)Use no more than 32 GB.

Referring below attached screenshot, what should I configure in place of -Xms4g and -Xmx4g ?

The issue  I am facing is I am not observing "mlockall" value to true instead "false" after restarting services of elastic.

Further I have also gone through your provided link for deciding how many shards? that article seems confused to decide how to manage data across elastic. Could your please suggest 1) how many shards and 2) what size of shard , should be configured with below deployment model.

My wazuh deployment model:
Single Node Wazuh with ELK stack
RAM: 62 GB
Storage: 4.5 TB

Agents: 50 where most of them are user workstations.

Your kind support would be highly appreciated.

Regards,

John

[John Carry]

Hello Andre,

Looking forward for your response.

Regards, 

John

[Bin Do Tuan Anh]

Hi, 

Sorry for the late reply. 

As I can see you have 62GB of RAM. In this case you can set the memory limit quite high. In theory up to 30GB, but since you have Wazuh and Elasticsearch together I would lower this number a bit. Feel free to set it to 16-20GB. The configuration will look like this: 

-Xms16g

-Xmx16g

Please keep in mind that you need to keep both of the value equal to each other (this may be the reason it fails). In case it still does not work (and the first two steps were applied) I would recommend you to try to restart daemon also:

systemctl daemon-reload 
systemctl restart elasticsearch

Regarding shards, since you have Single host environment, please edit the file /etc/filebeat/wazuh-template.json. The value index.number_of_shards has to be set to 1 (by default it is 3) 

As well as the number of replicas has to be set to 0:

curl -X PUT "http://localhost:9200/wazuh-alerts-\*/_settings?pretty" -H 'Content-Type: application/json' -d'
{
  "settings" : {
    "number_of_replicas" : 0
  }
}'

Best regards,

Bin.