Configuring Wazuh indexer replicas

212 views
Skip to first unread message

Dmitriy

unread,
Nov 1, 2024, 2:29:27 PM11/1/24
to Wazuh | Mailing List

Hello Wazuh team!

 

First of all, thank you for a great tool.

 

I have Wazuh 4.8 installed with 2 indexer nodes. I try to reduce index replicas from 1 to 0, because replica indexes take up a lot of disc space (screenshot 1).

 

I configured wazuh-template.json (screenshot 2). And if i execute: 

curl "https://<INDEXER_IP_ADDRESS>:9200/_template/wazuh-custom?pretty&filter_path=wazuh-custom.settings" -k -u <INDEXER_USERNAME>:<INDEXER_PASSWORD>

 

It looks fine (screenshot 3).

 

 

Also i tried to execute this: 

curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPUT "https://<INDEXER_IP_ADDRESS>:9200/wazuh-alerts-" -H 'Content-Type: application/json' -d'

{

  "settings": {

    "index": {

      "number_of_replicas": 0

    }

  }

}'

 

But I got followed error (screenshot 4).

 

You can see from screenshots 2 and 3 that it looks like everything is set up correctly. But on the screenshot 1 you can see that new indexes are still created with 1 replica.

 

Could you please help me? How can i reduce the number of replicas?


Thank you.

4.png
3.png
2.png
1.png

Javier Medeot

unread,
Nov 1, 2024, 4:23:28 PM11/1/24
to Wazuh | Mailing List
Hi Dmitriy.

Edit /etc/filebeat/wazuh-template.json and update with these settings:

    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "false",

Run filebeat setup --index-management to apply the changes to new indices.

To update your current indices try this command:

curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPUT "https://<INDEXER_IP_ADDRESS>:9200/wazuh-alerts-*/_settings" -H 'Content-Type: application/json' -d'
{
  "index": {
    "number_of_replicas": 0,
    "auto_expand_replicas": "false"
  }
}'

Let me know how it goes. Thank you.

Dmitriy

unread,
Nov 8, 2024, 2:52:54 AM11/8/24
to Wazuh | Mailing List
Hello Javier.

I was able to reduce the number of replicas from 0 to 1 in already existing indexes using your advice, thank you very much.

But for new indexes replicas are also created, even though I did everything according to your instructions.

пятница, 1 ноября 2024 г. в 23:23:28 UTC+3, Javier Medeot:

Javier Medeot

unread,
Nov 8, 2024, 3:44:07 PM11/8/24
to Wazuh | Mailing List
Hi Dmitriy.

Let's check the output of these Wazuh indexer API calls:
  • GET _template?pretty&filter_path=*.settings.index.number_of_replicas,*.settings.index.auto_expand_replicas
  • GET <NEW_ALERT_INDEX>/_settings?pretty&filter_path=*.settings.index.number_of_replicas,*.settings.index.auto_expand_replicas
Where <NEW_ALERT_INDEX> is the name of any new alert created after applying the configuration, for example wazuh-alerts-4.x-2024.11.08. These commands print the number of replicas in the template and in the index. Please share the results. Thank you.

Javier
Reply all
Reply to author
Forward
0 new messages