Wazuh Manager configuration in docker multi-node installation

[Max Kirshin]

Hello Wazuh team
Trying to manage my installation. I need some help and clarification.
I have Wazuh docker multi-node installation. All settings are "default", as it was in Wazuh-docker release v4.3.8.
Sorry, but I don't understand how to change manager configuration (ossec.conf). Should I change it inside both containers (master and worker)? Is it possible to do via API Console? I've tried PUT /manager/configuration, but failed. I need clarification about in what form I should provide ossec.conf. Is "PUT /manager/:component/configuration" intended to update particular manager settings? Please, provide wit the example.
I have similar questions about agents.conf and PUT /groups/{group_id}/configuration.
Also, I'm interested in clarification about SCA and SCA push. Is it possible to set  "sca.remote_commands=1" for local_internal_options.conf by default? It is said that default ruleset folders for agents  are neither kept across installations nor updates. Where should I configure to use custom ruleset folders?
Thanks in advance

[Marcos Javier Bonacci]

Hello za4inatel.
Thank you for using Wazuh.
Let me analyze the queries you mention and get back to you with comments on them.
Regards,
Javier

[Marcos Javier Bonacci]

Hi za4inate

• Change manager configuration (ossec.conf) / Should I change it inside both containers

The master doesn't send its local configuration file to the workers. If the configuration is changed in the master node, it should be changed manually in the workers. Take care of not overwriting the cluster section in the local configuration of each worker.

• Is it possible to do via API Console?

The ossec.conf file is the main configuration file on the Wazuh manager, and it also plays an important role on the agents

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html

Documentation and references about RESTful API (Example)

https://documentation.wazuh.com/current/user-manual/api/getting-started.html

Here you have how update Wazuh Configuration (Example)

https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.manager_controller.update_configuration

• ** have similar questions about agents.conf

Agents can be configured remotely by using the agent.conf

https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

• about SCA and SCA push (Still working on it)

• Where should I configure to use custom ruleset folders? (Still working on it)

As soon as I have information on these last two points, I will be responding.
Regards,
Javier

[Marcos Javier Bonacci]

Hi za4inate

Continuing with the pending consultations:

• about SCA and SCA push (Still working on it)

sca.remote_commands is not enabled by default because it allows the manager to send policies with commands and execute them in the agent. As it is a security risk to open that door, it is disabled by default and only the commands of the policies that are preinstalled in ruleset/sca are executed.  If the user wants to modify that default value he would have to change it and generate new agent packages with that modification.

• Where should I configure to use custom ruleset folders? (Still working on it)

About the localization, as you say, the policies that are in ruleset/sca are overwritten when the agent is updated, so they should not be modified in order not to lose the changes. That's why you should add the custom policies in another place, for example in <agent-installation-folder>/etc but it's a personal taste.
Regards,

Javier