“partitioned” cluster and unified dashboard

[Dirk Westenhaus]

Hello,

please see the diagram below for clarification: I have set up Wazuh Indexer cluster in two sites. On each site, there are agents sending their logs to a local Wazuh manager/worker, which forward these logs to their _local_ Wazuh Indexers. There are also Wazuh Dashboards in each site connected to their local and remote Wazuh managers/workers. In these Dashboards, the connection can be switched between the two sites (thanks again Sandra!).

This is working seemingly good. Now, there should be a third Dashboard view, namely one that displays data from the whole database cluster, with data/agents from both sites.

Therefore I have installed a third Wazuh Worker (named node2313 in the diagram, identifiable with the dotted lines style) and set it up by connecting its Filebeat service to all database nodes, in both sites. That's all that was seemingly needed to restrict the other local Dashboard nodes to store data only on the local database nodes, and also to view only data from the local database clusters (is that right??). After that, I have configured this Worker to a Dashboard's host list to be able to select that connection in Dashboard view.

But when selecting the third, “globally” connected Wazuh Worker, no agents can be found.

For completeness's sake, I should mention that I have tried to change the index pattern to ones with site-specific suffixes like wazuh-alerts-4.x-clustera-* (see my previous mail in https://groups.google.com/g/wazuh/c/oVAbgdQ0Xbo), but did not succeed. Because I see that indexes with the normal names are being used, and the local Dashboards seem to work without problems, I suspect that this is not an error source for the topic of the unified database view.

If you went through all this text, thank you. Here is a diagram describing the situation:

If you have any idea what could be helpful, please reply. Thank you.

Best regards, Dirk.

[Dirk Westenhaus]

Update: I was successfully able to change the index patterns to site-specific names, but, as expected, the unified dashboard still sees no clients. I am still thankful for any hints.

Best regards, Dirk.

[Gustavo Choquevilca]

Hello,
I'm going to investigate this query, and I'll come back when I have an answer.

Best regards.

[Dirk Westenhaus]

Hi,

to clarify: My setup currently uses a single Wazuh/Opensearch cluster which consists of nodes in both sites. I hope that this diagram makes that a little clearer:

The dotted nodes and connections is what is missing for now.

There is further discussion in https://groups.google.com/g/wazuh/c/oVAbgdQ0Xbo about whether to use a single cluster or configure cross-cluster replication.

With best regards, Dirk.

[Gustavo Choquevilca]

Hello Dirk,
In this scenario, what you could use is an OpenSearch functionality called Cross-cluster search, I recommend that you review the available documentation.

• Cross-cluster search
• Search across clusters

Best Regards.