Multiple Log Collector with Centralized WAZUH Dashboard

[zaffar abbas]

Hi,

Considering a scenario of a organization having offices at multiple locations and one central head office, is it possible to configure WAZUH in such a way that each different location has its own log collector (such as Filebeat) deployed at its premises, but there is only one centralized Dashboard deployed at Head Office to manage events collected by log collector.

Awaited for response.

Thanks,
Zafar.

[Awwal Ishiaku]

Hi Zaffar,

You can deploy the Wazuh central components in a distributed environment.

In summary, you can install a master Wazuh server at the Head Office, and install worker nodes at the remote locations.

You need to provide data about all the nodes you wish to deploy in the initial configuration file and proceed with the guide to deploy all the components.

Note that additional network configuration relies on your infrastructure.

The architecture may help you understand how the cluster works.

Regards.

[Khul Sat]

Hi,

Can this be achieved with multiple cloud environments like AWS, GCP, Azure etc?

What I would like to have is, one dashboard for all the locations; be it any cloud provider along with the on-prem devices.

Is it possible? Please suggest.

Thanks, KS

[Awwal Ishiaku]

Yes, it is possible to deploy in multiple cloud environments.

The cloud environments are like remote locations,  therefore the principle I described earlier also applies to them.

You only need to deploy the Wazuh server at your desired remote premises and add them to the cluster.
Let me know if you need further clarification.

[Khul Sat]

Hello,

Thank you for you inputs! Here is what I understood:

I set up Wazuh components on each cloud partner. Say for example - AWS, GCP, Oracle & Azure.

So there would be 2 servers, 3 indexers in all the cloud environments. Only one cloud environment would have extra component i.e. Dashboard & one would be master Server rather than worker+worker.

Is my understanding right?

My query is about the connectivity between multiple Wazuh servers & indexers & the log/index management.

Will the agent logs be spread across  all the managers (AWS instances will send logs to managers hosted on GCP/Oracle/Azure & vice versa)?

Will the indices/shards be spread across all the indexers (AWS instances related indices to indexers hosted on GCP/Oracle/Azure vice versa)?

Or do we get an option to restrict the agents to send logs to certain managers & same is the case with indexers.

Is there any option to create custom index patters so that all AWS related alerts will be stored in wazuh-alerts-aws-* & so on?

Please guide. Apologies if I am asking too much!

Regards, KS

[Khul Sat]

Hello,

Any comments/advise... please...?!?

[Awwal Ishiaku]

Hi Khul,

You can restrict the agents to send the logs to certain managers. You simply need to configure the agent with the desired manager's IP address.

By default, indices/shards are spread to as many indexer nodes as possible. However, you can customize this behavior to meet your requirements.

You can create custom index patterns. Refer to our documentation on configuring indices.

Regards

[Khul Sat]

Thank you Awwal!

Understood the Manager part.

Could you please provide more KBs on indices configuration? What I understood is:

On every cloud platform, there will 3 indexers. Every Indexers on each cloud platform will have its unique index pattern. Every indexer farm will communicate to the managers (in that particular cloud platform) and the single dashboard which would be on some other cloud platform. Is my understanding right?

How much bandwith utilization do you suspect if there are around 600-800 endpoints which are generating moderate events? (I know its completely dependent on the type and volume of logs being generated, but wish to have a fair idea)

Regards, KS

[Khul Sat]

Please help!

[Khul Sat]

Hello,

Could you please check this attached diagram and let me know if the architecture is correct?

Thanks, KS