Wazuh cluster HA using nginx
127 views
Skip to first unread message
Atul Chadha
Sep 26, 2023, 4:27:08 AM9/26/23
to Wazuh | Mailing List
Based on the instructions in below link , i am trying to setup a 3 node load balanced cluster (1 master , 2 worker all running v4.3 )
I have setup a nginx config on another machine in same network and able to connect to port 1514 / 1515 without issues.
When i add the load balancer DNS and restart the wazuh-agent i get below error
Nginx Config
http {
include mime.types;
default_type application/octet-stream;
client_max_body_size 20M;
sendfile on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
upstream cluster {
server x.x.x.x:1514;
server x.x.x.x:1514;
server x.x.x.x:1514;
}
upstream master {
server x.x.x.x:1515;
}
server {
gzip on;
listen 1514;
location /
{
proxy_pass http://cluster;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
gzip on;
listen 1515;
location /
{
proxy_pass http://master;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Error logs wazuh-agentd
2023/09/26 08:17:55 wazuh-agentd: INFO: Closing connection to server (mydns.com/x.x.x.x:1514/tcp).
2023/09/26 08:17:55 wazuh-agentd: INFO: Trying to connect to server (mydns.com/x.x.x.x:1514/tcp).
2023/09/26 08:17:55 wazuh-agentd: ERROR: Corrupt payload (exceeding size) received.
Error logs nginx
x.x.x.x - - [26/Sep/2023:08:24:21 +0000] "Z\x00\x00\x00!055!#AES:!\x0B=7q" 400 157 "-" "-" "-"
x.x.x.x - - [26/Sep/2023:08:24:31 +0000] "j\x00\x00\x00!055!#AES:E\xFA\xAF2\xC0\xCAp\xF3\xCE\x08\x18\x84?" 400 157 "-" "-" "-"
x.x.x.x - - [26/Sep/2023:08:24:41 +0000] "j\x00\x00\x00!055!#AES:O\x16\x1Bn\x95U\xA6\x88\x00\xCF`H\xCB| \xB3\xF3!9\xE0V\xA30T[\x0F\xF3|\x01\x8FW\xEE3\x1A\x92<\x99\x04\xD6g\x1A\x94}E\xFC\xC6\xB6\xCB\xE1&&m\xDBJ+o\x08<\x89\xC8\xD7E3\xCC2;\xC8\x11\x94(DY7\x043f\xD5/\x0BM}~\xA3[\xC2l\x0FpuU\xA8\x5C\xAEY\x95\xF1" 400 157 "-" "-" "-"
http {
include mime.types;
default_type application/octet-stream;
client_max_body_size 20M;
sendfile on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
upstream cluster {
server x.x.x.x:1514;
server x.x.x.x:1514;
server x.x.x.x:1514;
}
upstream master {
server x.x.x.x:1515;
}
server {
gzip on;
listen 1514;
location /
{
proxy_pass http://cluster;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
gzip on;
listen 1515;
location /
{
proxy_pass http://master;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Error logs wazuh-agentd
2023/09/26 08:17:55 wazuh-agentd: INFO: Closing connection to server (mydns.com/x.x.x.x:1514/tcp).
2023/09/26 08:17:55 wazuh-agentd: INFO: Trying to connect to server (mydns.com/x.x.x.x:1514/tcp).
2023/09/26 08:17:55 wazuh-agentd: ERROR: Corrupt payload (exceeding size) received.
Error logs nginx
x.x.x.x - - [26/Sep/2023:08:24:21 +0000] "Z\x00\x00\x00!055!#AES:!\x0B=7q" 400 157 "-" "-" "-"
x.x.x.x - - [26/Sep/2023:08:24:31 +0000] "j\x00\x00\x00!055!#AES:E\xFA\xAF2\xC0\xCAp\xF3\xCE\x08\x18\x84?" 400 157 "-" "-" "-"
x.x.x.x - - [26/Sep/2023:08:24:41 +0000] "j\x00\x00\x00!055!#AES:O\x16\x1Bn\x95U\xA6\x88\x00\xCF`H\xCB| \xB3\xF3!9\xE0V\xA30T[\x0F\xF3|\x01\x8FW\xEE3\x1A\x92<\x99\x04\xD6g\x1A\x94}E\xFC\xC6\xB6\xCB\xE1&&m\xDBJ+o\x08<\x89\xC8\xD7E3\xCC2;\xC8\x11\x94(DY7\x043f\xD5/\x0BM}~\xA3[\xC2l\x0FpuU\xA8\x5C\xAEY\x95\xF1" 400 157 "-" "-" "-"
I am suspecting its either compressed response or not being unencrypted, could anyone suggest next possible steps to debug this.
Atul Chadha
Sep 26, 2023, 5:48:37 AM9/26/23
to Wazuh | Mailing List
I messed up the config, i updated the config using stream module instead of http and it seems to be working. Sorry for the trouble !
Samson Olugbenga Idowu
Sep 26, 2023, 6:44:01 AM9/26/23
to Wazuh | Mailing List
Hello
Atul,
Thank you for choosing Wazuh.
Please confirm if this is working fine now and if you require further assistance, do not hesitate to request.
Thank you for choosing Wazuh.
Please confirm if this is working fine now and if you require further assistance, do not hesitate to request.
Atul Chadha
Sep 26, 2023, 6:49:44 AM9/26/23
to Wazuh | Mailing List
All good for now Samson!
Appreciate the support
Reply all
Reply to author
Forward
0 new messages