Wazuh cluster not sending logs to master
283 views
Skip to first unread message
Nishant Paradkar
Jan 4, 2024, 8:22:24 AM1/4/24
to Wazuh | Mailing List
Hello Team,
I have created a wazuh master and a worker. I have added a agent on the worker. I am able to see the agent on the webgui of master and it's status is active. But it is not generating any logs.
Please help me with the same. Thanks in advance
Regards,
Nishant Paradkar
Juan Nicolás Asselle (Nico Asselle)
Jan 5, 2024, 7:34:23 AM1/5/24
to Wazuh | Mailing List
Hi Nishant,
To figure out what the problem is, I need answers to the following questions:
- Wazuh Manager/Worker version
To figure out what the problem is, I need answers to the following questions:
- Wazuh Manager/Worker version
- Wazuh agent installation procedure and configuration regarding to manager connection information (HIDE SENSITIVE DATA)
- Worker status from the Master side (command line or Wazuh Dashboard)
- "But it is not generating any logs" means no Security Events from that agent right?
- Wazuh worker filebeat status: See https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#starting-the-filebeat-service, executing `filebeat test output`
Regards,
Nico
Nishant Paradkar
Jan 6, 2024, 10:03:33 PM1/6/24
to Wazuh | Mailing List
Hi Nico,
Thank You for your quick response. I was on a all in one architecture before. So I created a new master and worker in distributed architecture and now it's working fine. The version is 4.7.1 for master and worker. I have 2 wazuh manager one master one worker, 2 wazuh indexer, and 2 wazuh dashboard. This is configured in load balancing architecture. Now I am able to add agents and see logs. My only problem is that I am only able to access master server's dashboard. I have also installed a dashboard on the worker but it's showing wazuh dashboard server not ready yet. Can you help me with the same. I want 2 dashboard such that if the master fails I should be able to see the dashboard on worker. Also I had some other queries about multi cluster architecture.
1. If I add office 365 integration on master and worker, will it create duplicate logs?
2. If both the servers have mail configured with same rules, would it create double emails for alerting for the same incident?
Please help me with the same. Thanks in advance.
Regards,
Nishant Paradkar
Juan Nicolás Asselle (Nico Asselle)
Jan 8, 2024, 7:37:11 AM1/8/24
to Wazuh | Mailing List
Hi Nishant,
Based on your explanation about your environment, it seems that there is a misunderstanding of the Wazuh Architecture. You can take a look here: https://documentation.wazuh.com/current/getting-started/architecture.html
There's no need to add a Wazuh Indexer + Wazuh Dashboard per Wazuh Server node.
Here're my answers
1. Yes(if both are configured with the exact same data). Both nodes (worker and manager) will query O365 and will create alerts
2. Alerts in Wazuh Server scope, will be created based on it's agent information. So, if agent A connected to Worker A generates an alert, that worker will create the alert locally and send it to configured emails.
Regards,
Nico
Reply all
Reply to author
Forward
Message has been deleted
0 new messages