Wazuh distributed deployment
600 views
Skip to first unread message
Boubacary DIALLO
Sep 14, 2023, 6:54:26 AM9/14/23
to Wazuh | Mailing List
Hello community wazuh, I ask for your help on this point:
I have a wazuh server which I used quick start to install it this assumes that all the components are on a single server (manager, indexer and dashboard). So I wanted to make this installation a cluster by adding a node for the manager and a node for the indexer but I don't know how to proceed. So I don't see the ./config.yml file to add the node. if anyone can help me with links or explanations.
I have a wazuh server which I used quick start to install it this assumes that all the components are on a single server (manager, indexer and dashboard). So I wanted to make this installation a cluster by adding a node for the manager and a node for the indexer but I don't know how to proceed. So I don't see the ./config.yml file to add the node. if anyone can help me with links or explanations.
Rolly Davany Mougoue Kakanou
Sep 14, 2023, 8:13:40 AM9/14/23
to Wazuh | Mailing List
Hello Boubacary and thanks for using Wazuh.
Changing your your infrastructure from all in one deployment to distributed will require you to do the following steps:
NOTE: I assume here that the new nodes are already install and will focus on the configuration to cluster mode. Also a documentation on this is actually been written and will be published soon.
Adding an Indexer Node:
NOTE: I assume here that the new nodes are already install and will focus on the configuration to cluster mode. Also a documentation on this is actually been written and will be published soon.
Adding an Indexer Node:
1. Create a config.yml file in the root directory of the existing node to add the new indexer node(s):
Run the following command to ensure you’re in the root directory:
# cd
Then create the config.yml file with it’s content as follows:
nodes:
# Wazuh indexer nodes
indexer:
- name: <WAZUH-INDEXER1-NODE-NAME>
ip: <WAZUH-INDEXER1-IP>
- name: <WAZUH-INDEXER2-NODE-NAME>
ip: <WAZUH-INDEXER2-IP>
# Wazuh server nodes
server:
- name: <WAZUH-SERVER-NODE-NAME>
ip: <WAZUH-SERVER-IP>
# Wazuh dashboard nodes
dashboard:
- name: <WAZUH-DASHBOARD-NODE-NAME>
ip: <WAZUH-DASHBOARD-IP>
Replace the values with your node names and their corresponding IP addresses.
# cd
Then create the config.yml file with it’s content as follows:
nodes:
# Wazuh indexer nodes
indexer:
- name: <WAZUH-INDEXER1-NODE-NAME>
ip: <WAZUH-INDEXER1-IP>
- name: <WAZUH-INDEXER2-NODE-NAME>
ip: <WAZUH-INDEXER2-IP>
# Wazuh server nodes
server:
- name: <WAZUH-SERVER-NODE-NAME>
ip: <WAZUH-SERVER-IP>
# Wazuh dashboard nodes
dashboard:
- name: <WAZUH-DASHBOARD-NODE-NAME>
ip: <WAZUH-DASHBOARD-IP>
Replace the values with your node names and their corresponding IP addresses.
2.Download and run ./wazuh-certs-tool.sh to recreate the certificates for the old and new nodes:
# curl -sO https://packages.wazuh.com/4.5/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A
3. Compress the certificates folder and copy it to the new node(s). You can make use of the scp utility for easy and secure copying of the compressed file:
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# rm -rf ./wazuh-certificates
# scp wazuh-certificates.tar <target-username>@<target-IP>:
# curl -sO https://packages.wazuh.com/4.5/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A
3. Compress the certificates folder and copy it to the new node(s). You can make use of the scp utility for easy and secure copying of the compressed file:
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# rm -rf ./wazuh-certificates
# scp wazuh-certificates.tar <target-username>@<target-IP>:
4. Create a file, e.g., env_variables.sh, in the root directory of the existing node where you define your environmental variables as follows:
export NODE_NAME1=<WAZUH-INDEXER-NODE-NAME>
export NODE_NAME2=<WAZUH-SERVER1-NODE-NAME>
export NODE_NAME3=<WAZUH-DASHBOARD-NODE-NAME>
Replace <WAZUH-INDEXER-NODE-NAME>, <WAZUH-SERVER-NODE-NAME>, <WAZUH-DASHBOARD-NODE-NAME> respectively with the names of the Wazuh indexer, Wazuh server and Wazuh dashboard nodes as defined in config.yml.
export NODE_NAME1=<WAZUH-INDEXER-NODE-NAME>
export NODE_NAME2=<WAZUH-SERVER1-NODE-NAME>
export NODE_NAME3=<WAZUH-DASHBOARD-NODE-NAME>
Replace <WAZUH-INDEXER-NODE-NAME>, <WAZUH-SERVER-NODE-NAME>, <WAZUH-DASHBOARD-NODE-NAME> respectively with the names of the Wazuh indexer, Wazuh server and Wazuh dashboard nodes as defined in config.yml.
5. Create a deploy-certificates.sh script in the root directory and copy the following:
#!/bin/bash
# Source the environmental variables from the external file
source ~/env_variables.sh
rm -rf /etc/wazuh-indexer/certs
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME1.pem ./$NODE_NAME1-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
rm -rf /etc/filebeat/certs
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME2.pem ./$NODE_NAME2-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME2.pem /etc/filebeat/certs/wazuh-server.pem
mv -n /etc/filebeat/certs/$NODE_NAME2-key.pem /etc/filebeat/certs/wazuh-server-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
rm -rf /etc/wazuh-dashboard/certs
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME3.pem ./$NODE_NAME3-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Then deploy the certificates by executing the following command:
# bash ./deploy-certificates.sh
This deploys the SSL certificates to encrypt communications between the Wazuh central components.
6. Download the Wazuh password management tool and run it to generate and change passwords for all the Wazuh indexer users. The script will also automatically update the passwords where necessary.
# curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.5/wazuh-passwords-tool.sh
# bash wazuh-passwords-tool.sh -a
Save the admin password as it would be useful later to connect to the Wazuh dashboard.
#!/bin/bash
# Source the environmental variables from the external file
source ~/env_variables.sh
rm -rf /etc/wazuh-indexer/certs
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME1.pem ./$NODE_NAME1-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
rm -rf /etc/filebeat/certs
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME2.pem ./$NODE_NAME2-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME2.pem /etc/filebeat/certs/wazuh-server.pem
mv -n /etc/filebeat/certs/$NODE_NAME2-key.pem /etc/filebeat/certs/wazuh-server-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
rm -rf /etc/wazuh-dashboard/certs
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME3.pem ./$NODE_NAME3-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Then deploy the certificates by executing the following command:
# bash ./deploy-certificates.sh
This deploys the SSL certificates to encrypt communications between the Wazuh central components.
6. Download the Wazuh password management tool and run it to generate and change passwords for all the Wazuh indexer users. The script will also automatically update the passwords where necessary.
# curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/4.5/wazuh-passwords-tool.sh
# bash wazuh-passwords-tool.sh -a
Save the admin password as it would be useful later to connect to the Wazuh dashboard.
7. Edit the indexer configuration file at /etc/wazuh-indexer/opensearch.yml on both th new and old nodes to include the different indexers as follows. Uncomment or add more lines, according to your config.yml definitions:
network.host: "<WAZUH-INDEXER1-IP>"
node.name: "<WAZUH-INDEXER1-NODE-NAME>"
cluster.initial_master_nodes:
- "<WAZUH-INDEXER1-IP>"
- "<WAZUH-INDEXER2-IP>"
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- "<WAZUH-INDEXER1-IP>"
- "<WAZUH-INDEXER2-IP>"
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=<WAZUH-INDEXER2-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
8. Edit the filebeat configuration file /etc/filebeat/filebeat.yml to add the new indexer node(s). Uncomment or add more lines, according to your config.yml definitions:
output.elasticsearch.hosts:
- <WAZUH-INDEXER1-IP>:9200
- <WAZUH-INDEXER2-IP>:9200
output.elasticsearch:
protocol: https
username: ${username}
password: ${password}
Confirm the configurations works by running the command below:
# filebeat test output
Edit the Wazuh dashboard configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the new Wazuh indexer node(s):
opensearch.hosts: ["https://<WAZUH-INDEXER1-IP>:9200", "https://<WAZUH-INDEXER2-IP>:9200"]
Restart the services:
# systemctl restart wazuh-indexer
# systemctl restart filebeat
# systemctl restart wazuh-manager
# systemctl restart wazuh-dashboard
Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and start the single-node or multi-node cluster:
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
The output should display the number of Indexer nodes present on your cluster
network.host: "<WAZUH-INDEXER1-IP>"
node.name: "<WAZUH-INDEXER1-NODE-NAME>"
cluster.initial_master_nodes:
- "<WAZUH-INDEXER1-IP>"
- "<WAZUH-INDEXER2-IP>"
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- "<WAZUH-INDEXER1-IP>"
- "<WAZUH-INDEXER2-IP>"
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=<WAZUH-INDEXER2-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
8. Edit the filebeat configuration file /etc/filebeat/filebeat.yml to add the new indexer node(s). Uncomment or add more lines, according to your config.yml definitions:
output.elasticsearch.hosts:
- <WAZUH-INDEXER1-IP>:9200
- <WAZUH-INDEXER2-IP>:9200
output.elasticsearch:
protocol: https
username: ${username}
password: ${password}
Confirm the configurations works by running the command below:
# filebeat test output
Edit the Wazuh dashboard configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the new Wazuh indexer node(s):
opensearch.hosts: ["https://<WAZUH-INDEXER1-IP>:9200", "https://<WAZUH-INDEXER2-IP>:9200"]
Restart the services:
# systemctl restart wazuh-indexer
# systemctl restart filebeat
# systemctl restart wazuh-manager
# systemctl restart wazuh-dashboard
Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and start the single-node or multi-node cluster:
/usr/share/wazuh-indexer/bin/indexer-security-init.sh
The output should display the number of Indexer nodes present on your cluster
Rolly Davany Mougoue Kakanou
Sep 14, 2023, 9:06:22 AM9/14/23
to Wazuh | Mailing List
Adding a Server Node:
1. Create a config.yml file in the root directory of the existing node to add the new Wazuh server node(s):
Run the following command to ensure you’re in the root directory:
# cd
Then create the config.yml file with it’s content as follows:
ip: <WAZUH-INDEXER-IP>
# Wazuh server nodes
server:
- name: <WAZUH-SERVER1-NODE-NAME>
ip: <WAZUH-SERVER1-IP>
node_type: master
- name: <WAZUH-SERVER2-NODE-NAME>
ip: <WAZUH-SERVER2-IP>
node_type: worker
# Wazuh dashboard nodes
dashboard:
- name: <WAZUH-DASHBOARD-NODE-NAME>
ip: <WAZUH-DASHBOARD-IP>
Replace the node names and IP values with your new node names and IP addresses.
4. Edit the Wazuh server configuration file at /var/ossec/etc/ossec.conf on the existing node to define the node type:
<cluster>
<name>wazuh</name>
<node_name><WAZUH-SERVER1-NODE-NAME></node_name>
<node_type>master</node_type>
<key><ENCRYPTION-KEY></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node><MASTER-NODE-IP></node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
5. Edit the Wazuh indexer configuration file at /etc/wazuh-indexer/opensearch.yml to specify the indexer’s IP as mentioned in config.yml file:
network.host: "<WAZUH-INDEXER-IP>"
node.name: "<WAZUH-INDEXER-NODE-NAME>"
cluster.initial_master_nodes:
- "<WAZUH-INDEXER-NODE-NAME>"
Edit the filebeat configuration file /etc/filebeat/filebeat.yml to specify the indexer’s IP:
output.elasticsearch.hosts:
- <WAZUH-INDEXER-IP>:9200
Edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the indexer node’s IP:
opensearch.hosts: https://<WAZUH-INDEXER-IP>:9200
Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and replace the url value with the IP address or hostname of the Wazuh server master node:
hosts:
- default:
url: https://<WAZUH-SERVER1-IP>
port: 55000
username: wazuh-wui
password: <WAZUH-WUI-PASSWORD>
run_as: false
6. Finally, restart the Wazuh services.
# systemctl restart wazuh-indexer
# systemctl restart filebeat
# systemctl restart wazuh-manager
# systemctl restart wazuh-dashboard
1. Create a config.yml file in the root directory of the existing node to add the new Wazuh server node(s):
Run the following command to ensure you’re in the root directory:
# cd
Then create the config.yml file with it’s content as follows:
nodes:
# Wazuh indexer nodes
indexer:
- name: <WAZUH-INDEXER-NODE-NAME># Wazuh indexer nodes
indexer:
ip: <WAZUH-INDEXER-IP>
# Wazuh server nodes
server:
ip: <WAZUH-SERVER1-IP>
node_type: master
- name: <WAZUH-SERVER2-NODE-NAME>
ip: <WAZUH-SERVER2-IP>
node_type: worker
# Wazuh dashboard nodes
dashboard:
- name: <WAZUH-DASHBOARD-NODE-NAME>
ip: <WAZUH-DASHBOARD-IP>
Replace the node names and IP values with your new node names and IP addresses.
2. Follow the same steps as above from 2 to 6 inclusive
3. Generate an encryption key which will be used to encrypt communication between the cluster nodes:
# openssl rand -hex 164. Edit the Wazuh server configuration file at /var/ossec/etc/ossec.conf on the existing node to define the node type:
<cluster>
<name>wazuh</name>
<node_name><WAZUH-SERVER1-NODE-NAME></node_name>
<node_type>master</node_type>
<key><ENCRYPTION-KEY></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node><MASTER-NODE-IP></node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
5. Edit the Wazuh indexer configuration file at /etc/wazuh-indexer/opensearch.yml to specify the indexer’s IP as mentioned in config.yml file:
network.host: "<WAZUH-INDEXER-IP>"
node.name: "<WAZUH-INDEXER-NODE-NAME>"
cluster.initial_master_nodes:
- "<WAZUH-INDEXER-NODE-NAME>"
Edit the filebeat configuration file /etc/filebeat/filebeat.yml to specify the indexer’s IP:
output.elasticsearch.hosts:
- <WAZUH-INDEXER-IP>:9200
Edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the indexer node’s IP:
opensearch.hosts: https://<WAZUH-INDEXER-IP>:9200
Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and replace the url value with the IP address or hostname of the Wazuh server master node:
hosts:
- default:
url: https://<WAZUH-SERVER1-IP>
port: 55000
username: wazuh-wui
password: <WAZUH-WUI-PASSWORD>
run_as: false
6. Finally, restart the Wazuh services.
# systemctl restart wazuh-indexer
# systemctl restart filebeat
# systemctl restart wazuh-manager
# systemctl restart wazuh-dashboard
7. Follow instructions here to configure your new manager node to join the cluster. Then run the following command to test your cluster:
# /var/ossec/bin/cluster_control -l
# /var/ossec/bin/cluster_control -l
Reply all
Reply to author
Forward
0 new messages