Wazuh agent to multiple server

[Nguyen Huy Tai Anh]

Hi everyone,

I'm currently running a wazuh setup and now i want to add logstash to the mix for log managements. 

I have clone my current system and configure the setup, but i want to have the same agent for the testing since they have a constant stream of log and is better for testing, is there a way to send log to different wazuh server master node at the same time ?

Thank you

Tai Anh

[Antonio David Gutiérrez]

Hi, it is not clear to me the architecture you have. Could you elaborate it and be more explicit in the elements/applications you are mentioning? A diagram could be useful.

Please, elaborate your architecture and want to get with Logstash or the Wazuh agents (I am not sure if you are referring to this or another type of agent).

I guess you want to add Logstash to read, transform and send the Wazuh alerts data (generated by the Wazuh managers) to other outputs or same Wazuh indexer for some reason.

I have clone my current system and configure the setup, but i want to have the same agent for the testing since they have a constant stream of log and is better for testing, is there a way to send log to different wazuh server master node at the same time ?

This comment is not clear to me:
- What system did you clone and configure the setup?
- What are you referring by same agent?
- Do you have 2 separate Wazuh stack environments (production and testing) and you want to use the same Wazuh agent that report data to different Wazuh managers? If this is the case, it is not possible.

If you are referring to a Wazuh agent, this only can send data to a Wazuh manager at the same time.

[Nguyen Huy Tai Anh]

Hi Antonio,
my current siem system consist of 1 wazuh-manager, 2 wazuh-indexer and 1 dashboard (let's call this SIEM A or SITE A)

i have clone the vm of the wazuh component so now i have a second siem solely for the purpose of testing (let's call this SIEM B or SITE B)

now i have some agents enrolled on SITE A, 1 of the agent is using haproxy and an ids, which have a consistent log stream and is splitting to 2 index "wazuh-alerts-*" and "wazuh-archives-*"

i want to use that exact agent's log for testing on SITE B.

here is a simple diagram of my goal:

1 agent to send log to both SITE at the same time

is this setup achievable or do i need to find a work around ?

Regards!!!

[HARVEY SIJENYI]

Hai, I am having a challenge with my Wazuh. Some of my agents ain't responding. How can I be assisted? 

Sent from Outlook for Android

---

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Nguyen Huy Tai Anh <taian...@gmail.com>
Sent: Monday, September 16, 2024 12:54:14 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Wazuh agent to multiple server

 

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e1f05c38-31fb-4eff-9dde-de56678c6850n%40googlegroups.com.

[HARVEY SIJENYI]

How do I intergrate wazuh with kibana or suricata? 

Sent from Outlook for Android

---

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Nguyen Huy Tai Anh <taian...@gmail.com>
Sent: Monday, September 16, 2024 12:54:14 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Wazuh agent to multiple server

 

[HARVEY SIJENYI]

The YouTube video ain't working 

Sent from Outlook for Android

---

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Nguyen Huy Tai Anh <taian...@gmail.com>
Sent: Monday, September 16, 2024 12:54:14 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Wazuh agent to multiple server

 

[Antonio David Gutiérrez]

Hi Nguyen, thank you for the diagram and the response. I understand you want to broadcast the Wazuh agent data to multiple Wazuh servers.

Unfortunately, that is not possible with Wazuh because the Wazuh agent only can connect to a Wazuh server at the same time.

I do not know if there is some way/application that lets to broadcast the API requests to multiple servers at the same time. In the case this was possible, you could have problems with the Wazuh agent key that could be different for both Wazuh servers.

You mentioned the Wazuh agent host has an HAProxy and IDS, but it is not clear to me if you are collecting the HAProxy and IDS logs through the Wazuh agent, or they are applications that are installed on the same host of the Wazuh agent, but it is not collecting the logs of these applications.

I am not sure if you are trying to use HAProxy to forward the Wazuh agent logs to both Wazuh managers. I am not familiar with HAProxy, but I see this lets to forward requests to a specific backend and not send the same request to multiple servers at the same time.

As workaround:
- if you want to have a similar agent in both sites with similar logs: maybe you could deploy 2 containerized (using Docker) Wazuh agents, with similar configuration and mounting as volumes the logs files that each Wazuh agent collects (defining the configuration in the Wazuh agent). This approach should allow from the same host, send data to both sites through different Wazuh agents with similar configuration.
- if you only needs the indexed  data on wazuh-alerts-* and wazuh-archives-* indices and you do not need the agent in the site B, then you could send the data related to the Wazuh agent that is indexed in the site A to the site B, so this could be explorable using Discover and Dashboard applications of Wazuh dashboard but this data could not have an associated Wazuh agent (the value of agent.id is not present in the agents of site B), or the logs could be associated to a Wazuh agent that did not generate those logs (there is a Wazuh agent with the same id that agent.id field of the indexed logs in the site A).