Multi-node infrastructure

[Chen]

Hi there,

I am looking for a confirmation for my infrastructure idea.

I want to implement Wazuh to cover multiple networks. My idea was to do something like this: 

• deploy 4 Ubuntu servers in the 4 separate networks;
• install  only wazuh-manager (or disable wazuh-indexer and wazuh-dashboard) on those 4 servers;
•  deploy agents for each separate network;
• deploy another Ubuntu server, to serve as the Central server, install wazuh-indexer and wazuh-dashboard;
• configure each wazuh-manager from the 4 servers to send the logs to the Central server;
• login to the Central server (dashboard) to see the logs and manage things;

Is this doable or am I wrong in my approach?

Thank you,

Chen

[Md. Nazmur Sakib]

Hi Chen,

Yes, it is possible.
Your architecture will look like this.



Check these documents for deployment:
Installing the Wazuh indexer step by step
Installing the Wazuh server step by step
Installing the Wazuh dashboard step by step




You can also check the document for Wazuh multi-site implementation, if you want to have separate indices for the data. It offers a solution that helps organizations unify their security monitoring capabilities across multiple geographically dispersed locations or sites. For this, you will need multiple indexers as well.
A single Wazuh dashboard will display security alerts generated from events occurring in monitored endpoints for every site.
https://wazuh.com/blog/wazuh-multi-site-implementation/

Let me know if you need any further information on this.

[Chen]

Hello,

Thank you for your reply.

If I were to follow my idea (also the one from your diagram), what would be needed to be configured on the wazuh-managers and on the Central server (regarding the wazuh-indexer). Would it be enough to only change the indexer IP in the wazuh-managers configuration? Or what else would be needed?

Thanks,

Chen

[Md. Nazmur Sakib]

If you follow your architecture. 4 managers forward the data to one indexer.

Follow this doc for the configuration of the Wazuh manager.

https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html

In the filebeat configuration, you need to mention the indexer IP
/etc/filebeat/filebeat.yml


output.elasticsearch.hosts:

        - 10.0.0.1:9200
output.elasticsearch:

  protocol: https

Replace 10.0.0.1 with your indexer IP.

If I go into more details about the architecture.

The Wazuh manager will save the logs in /var/ossec/logs/alerts/alerts.json

The filebeat will read this log file and process the logs for the indexer and forward the logs to the Wazuh indexer. That's why you need to add the indexer address in the filebeat configuration.

Read this document to learn more:

https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html

Let me know if you need any further information on this.

[Chen]

Hello,

I have been looking into the multi-site implementation, as it seems it might be more suitable for my use case (I also have different integrations with FortiGate and Office365 in place).

My current setup is like this - I have 4 individual servers, in separated networks, each in a single-node configuration (each one has its own wazuh-manager, wazuh-indexer, wazuh-dashboard). My plan is to go for something like a multi-site implementation:

• keep each server online, removing only the wazuh-dashboards, keeping the wazuh-manager and wazuh-indexer;
• creating another server, to serve as the Central Dashboard;
• implementing VPN tunnels for communication from each server to the Central Dashboard (I plan to allow traffic in both directions for ports 22, 9200 and 55000);
• configure each of the 4 servers to send the logs to the Central Dashboard, renaming each index to fit each server;
• monitor the events and agents only from the Central Dashboard;

Is my plan looking ok or am I wrong in my view/missing some parts?

Thank you,

Chen

[Md. Nazmur Sakib]

Sorry for the late resposne. The plan looks fine to me.

Just some tip from me, which I believe will be helpful regarding this

 As you have 4 individual Wazuh deployments, I believe they are in individual indexer clusters. All the indexer needs to be in the same cluster.

You will need to generate a new set of certificates and upadte the configuration of all the components following this document.

https://wazuh.com/blog/wazuh-multi-site-implementation/

I always suggest keeping a backup of the config file and cert files that you are making changes to.

Skip the installation component part, just upadte the certificates and the configurations.

If you need further step-by-step guidelines on this or need further assistance on this, let me know.