Wazuh Master Node Deployment Best Practices

42 views
Skip to first unread message

JZI

unread,
Sep 16, 2024, 11:59:11 PM9/16/24
to Wazuh | Mailing List
Hi,

We are planning in our company that we will want to use a Wazuh cluster in such a way that the Master Node will be at our network, and the Worker Nodes (the Wazuh Server itself) will be at the customers network. We have it solved similarly with Zabbix - the main server is at our place, and the proxy servers are at each of the customers.

My question is how to set up the Master Node. In the case of Zabbix, we learned that the best practice for the main installation was to split into 3 VMs, i.e. separate VMs for the Frontend, database and Zabbix server.

For the main Wazuh Node - the server, Indexer and Dashboard - is it also recommended to separate them into 3 separate VMs? Is this one of the “best practices” in implementation? Does it bring performance or security benefits, or does it change nothing and is just a hindrance to deployment, and it is better to put up a Master Node with a script and later add remote Worker Nodes?

It would be nice if you could share your experience of how the implementation of such a Master Node looks like in most companies - which option is used more often.

If it helps, Wazuh will be used initially for monitoring Tenants O365, and if the solution is accepted it will probably be extended to monitor servers, NASes and UTMs. Most of the server infrastructure is on-premises. We do not have cloud servers.

Thanks

ismail....@wazuh.com

unread,
Sep 17, 2024, 6:33:05 AM9/17/24
to Wazuh | Mailing List
Hi,

Wazuh can be installed on a single host with all components— Wazuh Manager, Indexer, and Dashboard, recommended for small-scale implementations that don’t require handling a high volume of data. This all-in-one setup works well for simpler environments, allowing for easier management and maintenance.

However, in production environments where data volumes are higher and performance is critical, a distributed architecture is preferred. By distributing each component (Wazuh Manager, Indexer, and Dashboard) across different hosts, you can allocate specific resources to each Wazuh component, optimizing performance and scalability.

To install the Wazuh manager component in different networks, you must pay attention to the latency and communication to avoid performance issues. The most used is each component in the same network.

  • The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.

  • The Wazuh server analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.

  • The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for threat hunting, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.

As mentioned, depending on the amount of data you will receive and the number of agents, you can install only one Wazuh Manager single node (Master/Worker), or you can install a Wazuh Server in cluster mode, which will allow you to manage a large number of Wazuh agents more efficiently and ensure high availability.

There are two types of nodes in the Wazuh server cluster, the master-node and the worker-node, please click here to read the wazuh doc. 

The Wazuh server cluster is managed by the wazuh-clusterd daemon which communicates with all the nodes following a master-worker architecture. Refer to the how-the-wazuh-server-cluster-works for more information.

Wazuh Ref Documents:

https://documentation.wazuh.com/current/getting-started/architecture.html
https://documentation.wazuh.com/current/getting-started/components/index.html
https://documentation.wazuh.com/current/user-manual/manager/wazuh-server-cluster.html


Regards,

Reply all
Reply to author
Forward
0 new messages