Multiple Wazuh and Opensearch nodes connected to one Dashboard

[عبدالعزيز بن حلوان‎]

Hello Everyone,

I was wondering if this is possible currently I have multiple clients I have dedicated for each client a Server with specification based on the client environment sizing  however I want to monitor them from one Dashboard without clustering the DB's due to multiple reasons:

- If a Client exceeded his cloud resources limit there are some terms will be applied 

- Each Client have different retention and archival period for logs

- Data will be shared between OpenSearch DB's in case clustered and this is not wanted

Each client will have a server that contains the below components:

- Wazuh Server (Could be clusterd)

- Opensearch DB ( can't be clustered)

- Filebeat

similar to all in one deployment the difference is that there will be a centralized dashboard to  be connected to multiple data sources that are not clusters 

Kindly let me know if this is possible also if there is any documentation I will be thankful.

Thanks

[Bin Do Tuan Anh]

Hi, 

In your case you will need to have it this way (assuming you have 3 clients even though the amount of the clients does not matter: 

- Env 1 with Wazuh Manager, Wazuh Indexer and Wazuh Dashboard 

- Env 2 with the same components

- Env 3 with the same components

And at the same time you need to create a separate environment that is called cross-cluster one (I will call Env 4). 

So this way Wazuh Dashboard, from for example Env1, would be able to see only the data from that environment. But Env 4 will be able to look for the information from all the environments: Env 1, Env 2, Env 3.

Please let me know if this approach would work for you. 

For more details about Cross-cluster search you can find it here: https://opensearch.org/docs/latest/security/access-control/cross-cluster-search/

Best regards,

Bin.