How to Migrate From Wazuh All in One Server To Cluster ( Distrebuted )
1,196 views
Skip to first unread message
Ofek Tech
Apr 25, 2022, 10:29:29 AM4/25/22
to Wazuh mailing list
Hi Guys
I Would love to get some help to migrate my wazuh all in one server to Cluster
I have all in one server working , I've made a new distrebution on cluster
with - nginx > wazuh master + wazuh worker > nginix > elastic master + elastic worker > kibana
I havnt find any documentation online about how to migrate from my AIO to my new distrebution
If you have some tips or can give me a hand of how to start doing in without making any trouble to the AIO server that would be great !
Thanks A lot !
Ofek .
Federico Pacher
Apr 25, 2022, 12:35:38 PM4/25/22
to Wazuh mailing list
Hi Ofek Tech,
Thank you for using Wazuh.
In order to make your Wazuh single node into a Wazuh multi-node cluster, you simply may add any worker you want by installing a Wazuh server and configuring it as a worker.
To install the Wazuh server please follow these steps
Once you have installed the worker node you should configure it as a worker. In the configuration file located in /var/ossec/etc/ossec.conf you should have a configuration like this:
<cluster>
<name>wazuh</name>
<node_name>worker-node</node_name>
<node_type>worker</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh-master-address</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
The node_type tag says that this node is a Worker node, In the Key tag, you should add the same key that the master have. The node tag should have the IP address of the master node.
Here you have the full documentation to configure the cluster node.
To make your Elasticsearch single node into a multi-node cluster please follow this documentation.
Once you have installed the Elasticsearch as a cluster you have to configure your Filebeat to work with the cluster, To do this edit the file /etc/filebeat/filebeat.yml as follows:
output.elasticsearch:
hosts: ["<elasticsearch_ip_node_1>:9200", "<elasticsearch_ip_node_2>:9200", "<elasticsearch_ip_node_3>:9200"]
Replace elasticsearch_ip_node_x with the IP address or the hostname of the Elasticsearch server to connect to. Here you have the official documentation to configure Filebeat.
Then restart Filebeat:
# systemctl restart filebeat
Please do not forget to add the certificates to the Elasticsearch new node
I hope this information helps you
Regards
Ofek Tech
Apr 25, 2022, 1:30:22 PM4/25/22
to Wazuh mailing list
Hey !
Thanks A lot Federico Its Helped me very much
but the thing is
I wanted to migrate fully to multi cluster modes without keep using my old one
Im talking about production envoirment...
and my AIO is wazuh 4.1
and my new deployment running on the latest version ...
there is any other way of doing it without effecting the AIO server
and just "duplicate" all of the settings and connection into the new server ?
and apply it without downtime on the current AIO appliance
I would appriciate it very much if you have a way of doing it
Thank you !
ב-יום שני, 25 באפריל 2022 בשעה 19:35:38 UTC+3, Federico Pacher כתב/ה:
Federico Pacher
Apr 26, 2022, 10:17:34 AM4/26/22
to Wazuh mailing list
Hi Ofek Tech,
So, in that case, you will need first to upgrade your production environment to the latest version of Wazuh (4.2.5)
To upgrade the Wazuh server please follow this link.
To upgrade Elasticsearch, Filebeat, and Kibana please follow this link
Once you have upgraded your environment you can follow the steps I mentioned in my previous email to migrate to a multi-cluster environment.
I hope this information can help you
Regards
So, in that case, you will need first to upgrade your production environment to the latest version of Wazuh (4.2.5)
To upgrade the Wazuh server please follow this link.
To upgrade Elasticsearch, Filebeat, and Kibana please follow this link
Once you have upgraded your environment you can follow the steps I mentioned in my previous email to migrate to a multi-cluster environment.
I hope this information can help you
Regards
Ofek Tech
Apr 26, 2022, 6:39:35 PM4/26/22
to Wazuh mailing list
Thanks Federico !
I will do it and update here how it worked
Have a nice evning for now !
ב-יום שלישי, 26 באפריל 2022 בשעה 17:17:34 UTC+3, Federico Pacher כתב/ה:
Ofek Tech
May 2, 2022, 9:44:48 AM5/2/22
to Wazuh mailing list
After discussing you way of doing it
We have decided to start clean with a new server
and we are having issue to connect the firewall to the server
we have
Agent > nginx > wazuh master + worker > elasticsearch master + worker > kibana
Depoloyment
The thing is that the firewall of the servers is off
and we have the organiztion firewall that works
all the servers on the same vlan
but the elasticsearch server isnt getting the firewall logs
(he is getting syslog from one meshine that we are checking )
mabe you have an Idea why the logs isnt getting throw ?
like Ive said
the port 1514 is closed on the elasticsearch server
and we cant get the port open with the firewalld closed (we are talking about red hat server )
Mabe you know what we did wrong ?
or how to open a port with the right service on red had without activating the firewall on the red hat machine ?
Thank you very much
if you need more details
just say what you need
ב-יום רביעי, 27 באפריל 2022 בשעה 01:39:35 UTC+3, Ofek Tech כתב/ה:
Federico Pacher
May 3, 2022, 10:03:17 AM5/3/22
to Wazuh mailing list
Hi Ofek Tech,
I am glad to hear that have done a new clean installation.
Regarding your new issue, could you please open a new thread in google group in order to keep it clean this thread and in case other users have the same doubt you have?
Regards
Reply all
Reply to author
Forward
0 new messages