Centralized Monitoring of multiple wazuh server instances

1,224 views
Skip to first unread message

Muhammad Hassam

unread,
May 3, 2023, 3:26:52 AM5/3/23
to wa...@googlegroups.com

Hi Team,

 

I had a little difficulty in troubleshooting in viewing alerts on my centralized wazuh serverA. I had connected two wazuh servers together by wazuh api. Im able to view alerts of serverA(which I use it as my centralized wazuh server) but not able to view alerts of other connected Client wazuh server. I have two wazuh servers and wants to view the alerts of both servers into single dashboard. I have elastic stack installed on my both wazuh servers having version 4.4.1 running on ubuntu. I tried to achieve this by refereeing the below wazuh guide to achieve my objective of connecting multiple wazuh servers of my clients to my centralized wazuh server where I can view their alerts on wazuh dashboard without storing client server alerts on my master server.

 

I have configured API configuration on both servers. In both servers they are connected fine, but still whenever I switch API from master to clientA. It does not show any alerts. Please find the screenshots of my API configuration.
The first screenshot is of my master wazuh server and second was my testing client wazuh server.
Note: Both of my wazuh servers are installed as All-in-one deployment. 

 

https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/config-file.html#hosts

 

Master Server:

 

ClientA Server:

 

Looking forward for you response.

 

Thanks & Regards,

 

Muhammad Hassam
SOC Analyst | Information Security Department
Arpatech
195 Block A SMCHS,
Karachi, PAKISTAN

Ph: +92-21-35250741-6

Web: www.arpatech.com

 

image005.jpg
image006.jpg

Kasim Mustapha

unread,
May 3, 2023, 7:04:51 AM5/3/23
to Wazuh mailing list
Hello Muhammad,

Thanks for reaching out.

I am going to replicate this issue and give you an answer soon.

Thank you.

Regards,

Muhammad Hassam

unread,
May 4, 2023, 1:07:19 AM5/4/23
to Kasim Mustapha, Wazuh mailing list

Hi Kasim,

Thanks for the consideration. I’m looking forward for your response.

 

 

Thanks & Regards,

 

Muhammad Hassam

 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd34641d-edc0-4791-ac6e-765e6bc42023n%40googlegroups.com.

Muhammad Hassam

unread,
May 5, 2023, 1:44:19 AM5/5/23
to Kasim Mustapha, Wazuh mailing list

Hi Team & kasim,

 

Your kind response is awaited.

 

Thanks,

Kasim Mustapha

unread,
May 5, 2023, 3:55:30 AM5/5/23
to Muhammad Hassam, Wazuh mailing list
Hello Muhammad,

Just to clarify, you don't want to deploy the multi-node cluster, instead, you want to combine two single-host instances, correct?

Is there a reason for this?


Kasim Mustapha
IT Security Engineer
WazuhThe Open Source Security Platform
 

Muhammad Hassam

unread,
May 5, 2023, 6:38:52 AM5/5/23
to Kasim Mustapha, Wazuh mailing list

Hi Kasim,

 

Yes, my objective is to view the alerts of multiple Wazuh server instances into single kibana dashboard so that I don’t need to switch to each Wazuh server instance to view their alerts. I need a centralized configuration where I can view them from my master Wazuh server dashboard.

 

Furthermore, in master server, I want to store the alerts of only master server alerts but no alerts of other server. So that my master server won’t get storage issue.

 

I was trying to achieve this objective by connecting each server API into master server but still not able to properly figure out the issue as I described earlier. If it is possible then kindly guide me the approach to achieve this objective.

 

Looking forward for your response.

 

Thanks,

Muhammad Hassam

unread,
May 9, 2023, 3:14:09 AM5/9/23
to Kasim Mustapha, Wazuh mailing list

Hi kasim,

 

Waiting for your kind response.

Kasim Mustapha

unread,
May 9, 2023, 5:06:39 AM5/9/23
to Muhammad Hassam, Wazuh mailing list
Hello Muhammad,

To view the alert of multiple wazuh servers in a single Kibana dashboard, you have to forward the logs from all the wazuh servers to a single/cluster indexer instance. The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server. 

The Wazuh server can be installed as a single-node cluster or as a multi-node cluster. The single-node installation will be performed in only one host where the Wazuh manager, the Wazuh API, and Filebeat will be installed. The multi-node installation consists of the installation of several Wazuh server nodes in different hosts that will communicate between them. 

I would recommend you perform the multi-node installation instead and use the load balancer and index management policy to distribute the load on the servers however you want it and also curb the storage issue respectively.
Message has been deleted
Message has been deleted

Kasim Mustapha

unread,
Sep 28, 2023, 10:59:24 AM9/28/23
to Muhammad Hassam, Wazuh mailing list
Hello Muhammed,

I have just revisited your thread and I would like to add some information to my previous answer:

1. Do they need 2 individual Wazuh Managers, connected to the same Indexer and Dashboard through API?
2. Do you want to set up a Wazuh Cluster? Wazuh Cluster = Master + worker.

For 1, you can use the cross-cluster search option.

For 2, you can use the multi-node cluster option.

Let me know if this answers your question.

Regards,
Kasim Mustapha 

Reply all
Reply to author
Forward
0 new messages