Wazuh: Nginx Load Balancer

[Unknown]

Hi all,

We're using Nginx to Load Balance our wazuh multi-node cluster, our setup is working as expected in case of agent enrollment or for the devices where we can install the wazuh agent as per the document. ( NGINX Load balancer for a Wazuh cluster · Wazuh · The Open Source Security Platform  )

Now, the issue is with the agentless syslog collection (or say firewalls), using the above setup we're successfully receiving the logs but we're unable to separate the logs of different firewalls, as the source IP of all the logs is of the load balancer (Nginx).

use_source_ip is already 'NO'.

Kindly help us configure how we can make the proxy to send agent source IP or manager to recognize agent source IP instead proxy?

Regards,

Pradeep

[Gabriel Emanuel Valenzuela]

Hi Pradeep ! How are you ?

I think there is a wrong configuration here. Agentless it's a manager module, used to monitor devices or systems with no agent via SSH, such as routers, firewalls, switches, and Linux/BSD systems.

There is a XML section name with the same name used to configure some aspects of the module, I think the part you need to configure is the host, which defines the username and the name of the agentless host. You can use the hostname instead of IP address and filter your logs.

Here you have an example:

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>300</frequency>
  <host>ad...@192.168.1.108</host>
  <state>periodic_diff</state>
  <arguments>/etc /usr/bin /usr/sbin</arguments>
</agentless>

You can find more information in our documentation, here and here.

If you need anything more, please don't dub to ask. We're here to help :)

Have a nice day!

[Unknown]

Hi Gabriel,

I’m doing good, how are you?

Actually for importing the logs we’re using remote config method to throw syslog at wazuh manager tcp-514 (load balancer in our case) from network firewalls,

In the allowed IPs we’re putting load balancer’s IP to allow the logs as all the logs we’re receiving have the Nginx IP (source ip).

And this is the main issue for us.

The configuration we received from previous mail was for http connection. Now, There must be any configuration to forward the source ip from load balancer for tcp reverse proxy.

Thanks,

Pradeep

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/kzGizaiAQoI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/670b2990-abee-48cd-948f-ffb7b399709cn%40googlegroups.com.

--

Sent from Iphone

[Aman Choudhary]

Hi Team, 

Thank you for your quick reply.

Let me rephrase the question, we are capturing logs from syslog/network devices in our wazuh it was working fine when we were ingesting as master node but for load balancing we introduced nginx as reverse proxy (is nginx the right way to introduce the reverse proxy and load balancer to the wazuh cluster? or, should we use any other technology like HAProxy etc. ?) , after that the source-ip changed to nginx's proxy. Creating an issue in segregation of logs. 

Our question is, is there any way we can retain the original ip of the network device/Rsyslog etc. while listing/ingesting logs in :514 port.

Thanks in advance.

Aman Choudhary

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAMAZHUyy1X0_WcjmhtF%2Bc6tXQMvxA4O7jzckNVDANQ3zXdwkiw%40mail.gmail.com.

[Gabriel Emanuel Valenzuela]

Hi Pradeep and Aman ! I hope you are good.

Great ! Thanks for clarify the question :) 

I think you should use the LB that fits with your needs, Nginx or HAProxy, etc is a good choice. 

This issue is more related with a Nginx configuration rather than Wazuh configuration. 
To fix it, you need to install http_realip_module, --with-http_realip_module. Then we need to tell the reverse proxy to pass information to the backend nginx server.

• We can add thoses lines as a global configuration or per location:
  
  

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;

And use a log format like

log_format specialLog '$remote_addr forwarded for $http_x_real_ip - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"';

In some cases you will need to add this configuration :

set_real_ip_from x.x.x.x/x; # Ip/network of the reverse proxy (or ip received into REMOTE_ADDR)
real_ip_header X-Forwarded-For;

You can find more information about here, here and here.

If you need anything more, please let us know :)

[Adam Pielak]

Add configuration to nginx

location / {
	proxy_pass http://127.0.0.1:514;
	proxy_http_version 1.1;
	proxy_cache_bypass $http_upgrade;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Port $server_port;
	}

And add to filebeat pipeline.json ingress parameters:

{
	"set": {
	"description": "For relayed syslog events, rename agent.name to name of original syslog sender",
	"field": "agent.name",
	"value": "{{predecoder.hostname}}",
	"if" : "ctx.location == '/var/log/syslogwaz'"
	}
	},

You can change CTX.location to SRC.ip your firewall or hostname etc.

Wiadomość napisana przez Unknown <prde...@gmail.com> w dniu 09.11.2022, o godz. 09:28:

Hi all,

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/33942361-0ea4-49bc-91a9-f9eec1addd49n%40googlegroups.com.

[unknown]

Hi Gabriel,

We tried the http_realip_module on our Nginx Load Balancer but we are still facing the same problem.

As you may know, we have configured agentless proxy in the nginx upstream like,

upstream wazuh_master_agentless {

      server <wazuh-server-ip>:514;

}

server {

      listen 514

      proxy_pass wazuh_master_agentless;

}

On both agentless server to nginx lb and nginx lb to wazuh server, it is TCP Connection, so http_realip_module won't work I guess, and the same goes to the below.

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto

If there are any other ways, we can retain the original ip of the network device/Rsyslog etc. while listing/ingesting logs in :514 port?

Thanks,

Pradeep

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e5b755a0-fd80-4542-8da9-d904a8a6ca2en%40googlegroups.com.

[Gabriel Emanuel Valenzuela]

Hi Pradeep ! How are you ?

I think we can try this configuration for here. If not, we can keep looking for a solution.Have you tried what kleszczka wrote?

Let me know if you have any news. have a nice day! :)

[Pradeep]

Hello Team,

We are still unable to find solution of this issue,

For now, we are providing Master node IP(IP:514) to our network device (firewall), instead of Load balancer's IP.

Because of the same you see how bad our cluster is working. Master node is busy in taking load of all the network devices.

Let me repharse our issue:-

We are trying to get the logs of our network devices(tcp) through nginx load balancer.

eg.

1. stream { upstream mycluster {

hash $remote_addr consistent;

server wazuh-master:514;

server wazuh-worker1:514;

server wazuh-worker2:514;

}

server {

listen 514;

proxy_pass mycluster;

}

}

2. use_source_ip is already 'NO'.

But after doing this we started to get ip of our nginx in the location of our logs

proxy_set_header X-Real-IP            $remote_addr;
proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto    $scheme;
proxy_set_header X-Forwarded-Host    $host;
proxy_set_header X-Forwarded-Port    $server_port;

We also have tried the above conf, but I guess these are for http connection which in our case is tcp/udp, so these also not working.

Kindly look into this,

Thanks!

[Pradeep]

Hello Team,

Kindly look into this as we are facing this issue from a while.

Thanks!!