Wazuh Csross-Cluster Replication (Failover).
Emar Flix
I want to use load balancer in from of master nodes and only PR site get logs from agents and DR indexers get logs form PR indexers and keep replicate data. If any disaster happen I switch DR site as active site.
I cannot find oficial documentation from wazuh web site that how to implement that. Can anybody show me right way?
Olamilekan Abdullateef Ajani
Traffic Routing: For the agents to move between sites, you need a way to shift their traffic.
DNS Failover: You update the DNS record for your manager to point to Site B’s IP. Note: Agents will remain 'Locked' until the DNS TTL expires.
Global Load Balancing (GSLB): The most robust method. A single entry point uses health checks to automatically route traffic to the healthy site.
Site A (Primary): Priority 10 (Weight 100)
Site B (Standby): Priority 20 (Weight 0)
This would be done on the load balancer configuration for proper routing.
Data Protection
Ref:
https://docs.opensearch.org/latest/tuning-your-cluster/replication-plugin/getting-started/
To ensure Site B already has the data when a failover occurs, you use Cross-Cluster Replication (CCR) on the Wazuh Indexers (OpenSearch).
Site A (PR): Actively receiving and indexing logs.
Site B (DR): Pulling a read-only copy of those indices in real-time.
For failover, you must manually stop replication on Site B to make the indices writable so it can start accepting new logs.
Lastly, Authentication for Agents: (client.keys)
If the agents move to Site B but Site B doesn't have their keys, they will be rejected. So you must continuously synchronize the /var/ossec/etc/client.keys file from the Site A Master to the Site B Master (using a tool like rsync or lsyncd).
If you don't sync, you'll be forced to re-register all agents or restore that specific file from a backup before Site B will accept any connections.
https://www.carlstalhood.com/global-server-load-balancing-gslb-citrix-adc/
Olamilekan Abdullateef Ajani
does exactly what the OpenSearch documentation states: the follower index permanently detaches from the leader and becomes a normal writable index.
However, this action only affects the specified index. Any other indices will remain follower indices and must be stopped individually if you intend to fully promote the DR cluster.
Before declaring DR fully active, it is important to verify replication status across all wazuh-* indices using the replication plugin APIs.
The CCR as described in the opensearch documentation correctly handles replication mechanics, but cluster promotion remains an operational/manual responsibility.
That being said, DR is achieved by combining:
Routing / DNS strategy
Indexer data strategy
Clear promotion procedures
Regards,
Emar Flix
I did what you say and it works now, I shutdown PR cluster nodes from F5 and I can get agent logs to DR clusetr now.
Now I want to get back PR cluster as leader and make DR cluster follower again. How to do that properly?.
How I stop replication and delete auto-follow:
=======================================================================
DELETE /_plugins/_replication/_autofollow
{
"leader_alias" : "pr-cluster",
"name": "autofollow-wazuh-alerts"
}
GET _cluster/health?pretty
GET _cat/indices/wazuh-*?h=index
POST /_plugins{}/_replication/wazuh-archives-4.x-2026.02.19/_stop
=======================================================================
Olamilekan Abdullateef Ajani
When bringing the PR cluster back, you need to treat the DR cluster as the authoritative data source, which is exactly the inverse of the previous action leading here with PR as the authoritative source.
First, ensure the PR cluster is healthy, remove any stale Wazuh indices from the PR environment, reconfigure CCR with the DR cluster acting as the leader and the PR cluster as the follower, and then allow the indices to fully initialize and replicate.
Ref:
https://docs.opensearch.org/latest/tuning-your-cluster/replication-plugin/getting-started/