Add Indexer node to an existing cluster

[Daniel Chung]

Hi Guys,

I run into a problem of adding a 2nd node to form multi-node Indexer cluster.

The problem I'm having now is that the initial node and the 2nd node are up but somehow they can't join the cluster. I run command "curl -k -u admin:admin https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v", each indexer is up and running individually, but they are not connecting each other. Tried telnet from each other on port 9200 without problem so network connection should be fine.

Any ideas would be highly appreciated!

Thanks,

Daniel

[Mauricio Aguilar]

Hi Daniel, thank you for reaching out to us. We suggest checking the Elasticsearch logs on both nodes to see if there are any errors or warnings related to the cluster formation:

cat /var/ossec/logs/alerts/alerts.log

If the issue persists, please provide us with the Elasticsearch logs and we will be happy to assist you further.

Best regards, the Wazuh Cloud team.

[Daniel Chung]

Hi ,

Just to clarify, I am using Wazuh Indexer to form the cluster. I don't see any errors or warnings related to the Indexer cluster on both nodes.

The alerts log may contains some sensitive information, where can I upload to the team but not posting in public group?

Regards,

Daniel

[Daniel Chung]

A note to add. I checked the /var/log/wazuh-indexer/wazuh-cluster.log on both nodes, there were no indication the nodes have ever tried to connect each other. Looks like they are working individually, but I had followed the guide to configure the cluster in opensearch.yml file already.

[Mauricio Aguilar]

Hello, I made a mistake with the name of the file, sorry, the file to check is:
/var/ossec/log/ossec.log
Please do not send sensitive information.
If this file contains errors, please send here the error, removing the sensitive information that may appear.

The official guide for multi node configuration is this:
wazuh-multi-node-cluster

Have you followed this guide?

Can you post what these commands return, while I analyze this case?:

command to check if the Wazuh manager is active:
systemctl status wazuh-manager

Command to verify that the Wazuh cluster is enabled and all the nodes are connected
/var/ossec/bin/cluster_control -l

Regards.

[Daniel Chung]

Hi,

I am setting up Wazuh Indexer cluster, not the Wazuh Server (Manger and filebeat) cluster. 
Anyway, after I removed Wazuh Indexer from 2nd node and reinstalled again, the cluster is formed and up now. However, I came into other issue....
Since a newer version of Wazuh Indexer was just released, the reinstallation had the latest version installed on the 2nd node. For consistency, I upgraded the component on the 1st node, but then I encountered issue that the dashboard is showing "Wazuh dashboard server is not ready yet"

Tried restarting all services and they are all up/active. Appreciate if you can help me to resolve it.

Regards,

Daniel

[Mauricio Aguilar]

The resolution continues here: https://wazuh.slack.com/archives/C0A933R8E/p1681135684764859