Sending alerts and logs from Wazuh all-in-one to Wazuh cluster

[jonh]

How can i send alerts and logs from Wazuh all-in-one to Wazuh cluster, I also need the alerts to be logged on the cluster

[Md. Nazmur Sakib]

Hi jonh,


If you want to upscale your existing deployment to cluster by adding a new node to it. Follow this document.
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/adding-new-server-nodes/index.html


If you want to do a completely new deployment you can follow this.

You can copy the logs from the Wazuh alerts and archives folder to your new environment where you have cluster setup and reinject the log to your indexer to create indices for those logs and show them on the dashboard

/var/ossec/logs/alerts/

/var/ossec/logs/archives/


You need to follow this document for this:

https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/

The script will reinject the log to your indexer using the .json.gz logs


The script will look for the logs in this format for alert logs.

alert_file = "{0}logs/alerts/{1}/{2}/ossec-alerts-{3:02}.json.gz".format

Meaning /logs/alerts/Year/Mon/ossec-alerts-date.json.gz

You need to modify that line if you want to restore the archives logs.


Please keep in mind that this restored log will not show in the Wazuh Dashboards, meaning threat hunting, FIM, and SCA events if you are moving from a single manager setup to a cluster.

Your old logs do not have this information cluster name, but it is necessary to have it in a cluster setup to show these logs in the Dashboard. Because of this sticky filter cluster.name

Which is manager.name in the deployment where there is no cluster.

You will still be able to see those old alerts in Discover




The only way to see these logs in the dashboard is to add this field name to each alert one by one, which is not a practical method.


We can change the manager name using the API tool per document but cannot change it in bulk

For this go to Indexer management > Dev tool

POST /wazuh-alerts-4.x-2024.06.03/_update/<Document_ID>

{

    "doc" : {

        "cluster": {

      "name": "<cluster_name>"

    }

    }

}

Let me know if you need any further information.

[jonh]

I'm sorry, I realized that I didn't explain the problem enough, I have an architecture where I have to promptly send the generated alerts from Wazuh all-in-one to another Wazuh Cluster (and see them on Dashboard), and I also have to send logs from Wazuh all-in-one and take logs to Wazuh Cluster and archive it for 3 years in another file (not in /var/ossec/logs/archives/archive.json)

среда, 5 февраля 2025 г. в 14:29:51 UTC+5, Md. Nazmur Sakib:

[Md. Nazmur Sakib]

I have shared the response in your other post 

https://groups.google.com/d/msgid/wazuh/98c4dfd9-652d-4766-b61b-d69a0dea117bn%40googlegroups.com