Expanding wazuh indexer cluster

[wazuh]

Hi, I am planning to add 3 new indexer nodes to an existing wazuh cluster. I've already created certificates, signed by the original root-ca.key, installed the wazuh indexer in the the 3 new vms. However what is left is connecting to the existing cluster and synchronizing the data. What would be the best way to achieve this to ensure that as little time as possible is spent in cluster health red?

I used the following documentation to install new wazuh indexers up to the point of cluster initialization. Do i just need to run the initialization script on one of the indexers and it should automatically start synchronizing all indexers?
Adding Wazuh indexer nodes - Wazuh indexer cluster

I've also had some research about adding clusters, and read that it is recommended to synchronize one of the 3 new indexer nodes and then synchronize the other 2 nodes using the data of the newly added indexer (original cluster is on-prem and the 3 nodes are on cloud connected through a vpn connection. the idea is to avoid having to transfer data over too long distances). Would this be achievable in connecting wazuh-indexers?

Lastly, how does wazuh determine the main master indexer node? is it the first one that is listed in the opensearch.yml?

[Farouk Musa]

Hi, Yes correct you just need to runt  script on one of the indexers and it will automatically synchronize the new nodes. On synchronizing one node before the others, the script automatically does for all the nodes you have specified in the config, it wont do one by one. On the concern about sharing data over long distance, this should not be a major concern as the indexer sync does not consider network metrics in determining how to replicate data or which node to replicate from. The major consideration should be that your config has been properly put int he config files and the sync process will be seamless.

On how the master node is selected, in the opensearch.yml config file, we specify all the master eligible nodes in the cluster.initial_master_nodes option, the indexer then uses an inbuilt election algorithm to identify which node is eligible to be the master.

[wazuh]

was able to add to cluster after this, however need to be careful as it removed all the internal users, tenants that were added through the dashboard ui (including reseting the default user passwords such as admin user). Would be good to have this as a warning in documentation of adding an indexer node.