Wazuh Cluster Replication for Disaster Recovery

[Farid Alakbarli]

Hello Wazuh Support Team,

I have one additional question regarding our Wazuh deployment.

We currently operate a Wazuh cluster consisting of one master node and three worker nodes. We are evaluating options for disaster recovery and business continuity and would like to know whether it is possible to replicate the entire Wazuh cluster, including its configuration and relevant data, to a secondary server environment.

Our goal is to establish a Disaster Recovery (DR) solution with failover capabilities using an active-passive architecture. In the event of a failure affecting the primary environment, we would like to be able to switch operations to the secondary environment with minimal disruption.

Could you please advise on the recommended approach, best practices, and any available documentation for implementing such a setup with Wazuh?

Thank you for your assistance and support.Wazuh Cluster Replication for Disaster Recovery

[Ifeanyi Onyia Odike]

Hi @Farid

You can implement an active‑passive DR setup for your Wazuh cluster, but it is not a single “replicate whole cluster” button; you need to combine manager component backups/restores, OpenSearch replication or snapshots for indexer data, and a traffic failover mechanism for agents (DNS or a load balancer).

For your scenario (1 master, 3 workers, active‑passive DR):

• Build a second, independent Wazuh stack (manager cluster, indexer cluster, dashboard) in the DR site with the same version and similar sizing.

Continuously replicate:

• Wazuh manager configuration and critical files (including client.keys) from primary master to DR master. At minimum, keep the following files synchronized: Wazuh manager backup files. Use rsync, lsyncd, or similar to continuously sync these files from the primary master to the DR master while preserving ownership and permissions, as recommended by the backup guide. If you lose the primary, the DR master already has the same agent keys and configuration, so agents can reconnect without re‑enrollment.

• Wazuh indexer data from primary to DR using OpenSearch Cross‑Cluster Replication (CCR) or snapshot/restore. Native DR is provided at the OpenSearch layer via: Cross‑Cluster Replication (CCR): configure the primary as the leader and the DR as the follower so that indices like wazuh-alerts-* are continuously replicated.
  
  Alternatively, periodic snapshots can be taken to a shared repository and restored into the DR cluster, as shown in the backup and snapshot guides. Migrating Wazuh Indices. But I would recommend the CCR instead.
  

Use DNS or a global/load balancer entry (e.g., wazuh-mgr.example.com) that you can switch to point agents to the primary or DR in case of a site failure. This effectively gives you an operational active‑passive architecture without stretching a single Wazuh cluster across sites.