Move/Relocate/Migrate Agents

405 views
Skip to first unread message

swapnils

unread,
Nov 25, 2022, 9:15:34 AM11/25/22
to Wazuh mailing list

Hello Team,

Greetings!
Wanted to know if there is any way to migrate agents from one master/worker to another master/worker node.
If a either one of master/worker node goes down or wazuh-manager service is restarted for some maintenance work on any of the node, agents gets migrated/moved to another available node; which works as expected. However, once the affected node is back, agents don’t relocate and the affected node sits idle.
Is there any way to achieve this? I was checking agent_control, cluster_control commands if those have such options to migrate agents but could not find such. Also checked dashboard GUI but did not find any option.

Could you please help?


Thanks,
swapnils

Lorenzo Miguel Elguea Fernandez

unread,
Nov 25, 2022, 9:24:50 AM11/25/22
to swapnils, Wazuh mailing list
I use a DNS alias from the principal server.
When the principal is down, change alias to another server.



Lorenzo Elguea Fernández
Director de Ciberseguridad UP

. . . . . . . . . . . . . . . . . . . . . . . . . . .



Transformación Digital

Intercampus -  CDMX
lel...@up.edu.mx
T. 55 5482 1666

Ext. 5500

up.edu.mx
TWITTER | FACEBOOK INSTAGRAM | LINKEDIN



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2510d40f-432d-40b3-adba-51a9e6755b1cn%40googlegroups.com.

AVISO DE PRIVACIDAD: Las instituciones pertenecientes al Sistema UP-IPADE utilizarán cualquier dato personal expuesto en el presente correo electrónico, única y exclusivamente para cuestiones académicas, administrativas, de comunicación, o bien para las finalidades expresadas en cada asunto en concreto, esto en cumplimiento con la Ley Federal de Protección de Datos Personales en Posesión de los Particulares. Para mayor información acerca del tratamiento y de los derechos que puede hacer valer, usted puede acceder al aviso de privacidad integral a través de nuestras páginas de Internet: www.up.edu.mx / prepaup.up.edu.mx / www.ipade.mx / www.ipadealumni.com.mx 
La información contenida en este correo es privada y confidencial, dirigida exclusivamente a su destinatario. Si usted no es el destinatario del mismo debe destruirlo y notificar al remitente absteniéndose de obtener copias, ni difundirlo por ningún sistema, ya que está prohibido y goza de la protección legal de las comunicaciones.

swapnils

unread,
Nov 25, 2022, 10:32:27 AM11/25/22
to Wazuh mailing list
Hello,
When first server goes live, do agents move from another server to first one?
Redistribution of agents happen automatically or you do something manually?


Regards,
swapnils

Kevin Ledesma

unread,
Nov 25, 2022, 2:16:47 PM11/25/22
to Wazuh mailing list
Hello!
Well this is normally handled by a load balancer (check this doc) so it decides in which worker the alerts are received.
For your specific case, for what I know, it is not possible to migrate the agents from one worker to another on demand, but let me do some research and I'll back to you with a more accurate answer.

Have a nice day!

Kevin Ledesma

unread,
Nov 25, 2022, 2:28:16 PM11/25/22
to Wazuh mailing list
Hello again!
Sorry, I should have asked you this before, but, do you have a load balancer configured?
If that's the case it should be fixed by stopping the wazuh-manager service on each node's machine for 10's and then starting them again
(you can use the command systemctl stop wazuh-manager to stop the managers).
Else, I will back to you with another solution!

swapnils

unread,
Nov 26, 2022, 12:33:43 AM11/26/22
to Wazuh mailing list

Hello Kevin,

Thank you for your suggestion. I am already using that approach i.e. to stop & start wazuh-manager on occupied system; which results into moving almost all agents to another node.
Is there any way wherein I can move agents manually to distribute load? I do not have LB configured.

Current setup -
Two manager nodes (1 master + 1 worker ) / 3 indexers / 1 dashboard
Single FQDN is pointing to two manager IPs in DNS. (So everything works well when both the managers are live. DNS randomly sends requests to either of nodes.)

Query -
I had checked the document you shared earlier while building the setup but I was uncertain about the functionalities.
LB will distribute load in normal case (as it is doing in existing DNS hack). But during the back-end maintenance at manager(s) level, how nginx will move agents from one manager to another manager? Won’t it taint Wazuh’s own algorithm?
I may be completely wrong but will nginx’s configuration and Wazuh’s own cluster configuration go hand in hand?

Apologies if I am sounding vague!


Regards,
swapnils

Kevin Ledesma

unread,
Nov 28, 2022, 3:28:31 PM11/28/22
to Wazuh mailing list
Hello Swapnils!

Well, for now, Wazuh doesn't have any tool that allows you to manually move agents from one worker to another.

About the LB, maybe that guide is not that clear, here is a better example
With Nginx you don't have to worry about which agent connects to which manager, as basically the agents are connected to Nginx and when an agents sends a request Nginx receives it and decides to which manager it should be handed over.
Maybe my explanation is not clear enough, you can check this video that may have an better explanation.

Thanks for your patience! Regards!

swapnils

unread,
Nov 29, 2022, 6:56:54 AM11/29/22
to Wazuh mailing list
Hello Kevin,

Thank you for the details! I checked both the links you shared and got an understanding about the Nginx working.
However, I still have one doubt w.r.t. following scenario - 
*When both node1 & node2 are live, nginx forwards the agent requests to both nodes as per nginx configuration. *
*One of the Wazuh Manager (node1) goes down*
*Traffic is now diverted to node2 & nginx is forwarding requests to node2*
*When node1 comes back, will agents be moved from node2 to node1? If yes, will nginx do that as Wazuh does not have that capability as of now.*

Could it be possible to check if this scenario is replicated somewhere in lab environment?
Secondly, will it be possible to raise a feature request for this functionality? It will be of an immense help!


Regards,
swapnils

Kevin Ledesma

unread,
Nov 30, 2022, 7:10:37 AM11/30/22
to Wazuh mailing list
Hello Swapnils

Yes! as soon as your other node is up again Nginx will start forwarding the agents requests to that worker too
About the replicated scenario, you can create your own scenario using docker or vagrant virtual machines and following the guide. There is no live test environment using that scenario.
Sure! you can raise an issue (here) requesting for that functionality and the development team will check on it. I recommend you to be as descriptive as you can in the issue description

Regards!
Reply all
Reply to author
Forward
0 new messages