Cluster configuration

[Kpex]

Hi to All,

i have these scenario:

3 server, one for wazuh manager, one for elastic and one for kibana.

I wish do a Distributed Deployment, but i don't know if, i start with wazuh single node configuration and a elasticsearch single node configuration, could i transform them into a cluster configuration later?. Or maybe it's better to already config all as cluster although i haven't others nodes ready?

Thanks.

[Robin Costas]

Hi Kpex,

Both Wazuh and Elasticsearch can be scaled up and down if needed.

Wazuh cluster

Wazuh cluster is made up of manager nodes, these can be of master or worker type.

The master node centralizes and coordinates worker nodes, and is the one in charge of agent registration/deletion, configuration of agents grouping, and synchronization of rules/decoders and CDB lists. It is not recommended to let agents report to the master node, instead,  agents should report to a worker.

The worker node will receive agent reporting and redirects agent status updates and agent registration requests to the manager.

For HA it is recommended to have more than one manager node receiving agent reporting, this way agents always have a manager to report to. Therefore, you would usually scale the workers up if you need better performance.

Cluster configuration is made through the <cluster> section of the node's ossec.conf, you can add or remove nodes from the cluster whenever you want. Read more on how to fill <cluster> section here: Deploying a Wazuh cluster

Elastic cluster

Opendistro also has roles defined for their nodes, you can read about them here: Cluster formation. You can add or remove nodes from your cluster quite easily through the /_cluster/settings endpoint of the Elasticsearch API. The minimum recommended architecture for an Opendistro cluster is 3 nodes (and as a general rule, an odd number of nodes), as 2 nodes can lead to split-brain or the whole cluster being RED status with only 1 node down. We also have a guide in our documentation to help with this process: Elasticsearch multi-node cluster.

I hope this helps, as you can see, you can start with one node for each service and scale them up as you need without problems.

Regards,

Robin.