Wazuh agent to Wazuh manager communication

[JV]

Hi,

Question regarding agent to manager communication.

Can I configure agent to talk to multiple managers?

I know there is LB option but that's not why I need it, it's more because of users who are traveling or are connecting to network via VPN, so it would be nice if their workstations would talk to closest manager.

BR,

JV

[Carlos Ridao]

Hi JV,

I'm afraid talking with the closest manager is not possible as there is no way to determine which one is the closest but you can use one of the following solutions instead:

A) Use a Load Balancer and configure it to send agent events to the node with the lowest latency. In that case we recommend you to setup the Sticky session or stickyness of your Load Balancer to route the traffic of each agent to the same node that received the initial conection. Keep in mind that these options may or may not be available depending on the Load Balancer used and that the way it is configured may be different.

Here is an example of how to configure NGINX Load balancer for a Wazuh cluster using hash IP algorithm to add persistence to the communication between Wazuh agents and nodes:

    https://wazuh.com/blog/nginx-load-balancer-in-a-wazuh-cluster/

And here is the documentation about using Wazuh Cluster with Load Balancers:
    https://documentation.wazuh.com/3.10/user-manual/configuring-cluster/advanced-settings.html#pointing-agents-to-the-cluster-with-a-load-balancer
    

B) Configure the agents with `failover mode` to have a list of nodes so in case they're not able to connect to the first manager the agent will try to connect to the next one of its list to keep reporting. In order to do so you need to add as many `<server>` blocks as you want in the `/var/ossec/etc/ossec.conf`. Here is an example:

    <client>
        <server>
            <address>172.0.0.4</address>
            <port>1514</port>
            <protocol>udp</protocol>
        </server>
        <server>
            <address>172.0.0.5</address>
            <port>1514</port>
            <protocol>udp</protocol>
        </server>
        <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>
        <notify_time>10</notify_time>
        <time-reconnect>60</time-reconnect>
        <auto_restart>yes</auto_restart>
        <crypto_method>aes</crypto_method>
    </client>

   
If you need more information about this solution you can find it here:
    https://documentation.wazuh.com/3.10/user-manual/configuring-cluster/advanced-settings.html#pointing-agents-to-the-cluster-failover-mode


I hope these answers are helpful, please do not hesitate to contact back if you have any other issues, and thank you for your contribution, it helps us keep improving.

Best regards,
Carlos.

[JV]

Thank you Carlos!

It was very helpful.

[JV]

Hi Carlos,

One followup question regarding B scenario.

Do I also need to register the agent on both managers where it'll send data to? Or is there some sort of central registry option?

BR,

JV

[Juan Carlos]

Hi JV,

Sorry for the rather late reply, I just noticed your question has gone unanswered.

If you configure the Wazuh managers to work as a cluster ( more information here: https://documentation.wazuh.com/3.10/user-manual/configuring-cluster/index.html ) you will only need to register the agents with the master manager.

The managers will communicate with one another on port 1516 and centralized configuration and registered agents will be pushed from the master manager to the worker manager(s).

Let us know if you have any more questions.

Best Regards,

Juan Carlos Tello