Configuation Help - ossec.conf in Clluster Mode

[Khul Sat]

Greetings!

This could be very basic and lame doubt but stil…
I always get confused while making configuration changes in ossec.conf file. I have two wazuh-managers in master worker fashion.

1. What all are the settings which if I make in master, would get replicated in worker and which are the ones will not?
2. Referring to configuring-syslog-on-the-wazuh-server document, should I be adding <remote> block in just master or both?
3. Similarly if I want to configure s3-wodle, should i be adding it to a single node or both?

What are the changes of data duplication in such scenario or how the redundancy can be achieved?

Your help is highly appreciated.
Thanks,KS

​

[Manuel Jose Cano Rojo]

Hello Khul Sat,

The answers to your questions can be found on this documentation page. As you can read, the master node does not share its configuration with the rest of the workers. Summarizing, you need to manually set the configuration in both nodes to make it work as expected.

Hope it helps!

Manuel.

[Khul Sat]

Thank you Manuel!

About When rules, decoders, or CDB lists are synchronized, the worker nodes are not restarted. They must be restarted manually in order to apply the received configuration. :
Does that mean rules, decoders & CDB lists are automatically synchronized but manual service restart is required for effect to take place?

Apologies if I am being dumb.
thanks,ks

​

[Khul Sat]

Hello Team,

Please help me with this. Also I am still unclear about the `<remote>` block and `s3-wodle` block. If I add same block to the master and worker both, are there chances of duplicate logs?

Thanks,kS

[Manuel Jose Cano Rojo]

Hi Khul Sat,

I'm sorry for not getting back to you sooner. Regarding your questions:

1. Yes, when the rules, decoders, and CDB list are synchronized, workers nodes need to be restarted to let them consider the synchronized changes.

2. As long as the `<remote>` block and `s3-wodle` block are exactly the same, both nodes, master and worker, will be processing the same events for your case.

Let me know if I can give you further help!

Regards.

[Khul Sat]

Thanks!
So if we put same blocks w.r.t. remote and s3-wodle on all the managers, storage consumption would be double as the same events will be process on all the managers. To void this, if I put these blocks on one of the managers, and that specific manager goes down, we won’t have redundancy.
Hope my understanding is right. If yes, do we have any work-around for this?

Regards,KS

​

[Manuel Jose Cano Rojo]

Hello Khul Sat,

The nodes do not synchronize alerts to check that they are not duplicated, and I'm afraid there is not a native workaround to deal with this situation. You should add this configuration only in one node to avoid this scenario.

Regards,

Manuel.

[Manuel Jose Cano Rojo]

Hello Khul Sat,

The nodes do not synchronize alerts to check that they are not duplicated, and I'm afraid there is not a native workaround to deal with this situation. You should add this configuration only in one node to avoid this scenario.

Regards,

Manuel.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e0400b6e-a6e5-426f-84c4-5b7d6fc7e856n%40googlegroups.com.