Wazuh Master node switching
87 views
Skip to first unread message
CJK
Sep 11, 2025, 6:03:15 AMSep 11
to Wazuh | Mailing List
Hi Team,
I have 3 wazuh manager nodes in cluster. And presently master node is node1.
Can someone help me on switching master node to node2. I have tried the below setting in ossec
<cluster>
<name>wazuh</name>
<node_name>wazuh-node2</node_name>
<node_type>master</node_type>
<key>5e9d6b760b514d6a286b1ecxxxxx</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>172.16.24.102</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
<name>wazuh</name>
<node_name>wazuh-node2</node_name>
<node_type>master</node_type>
<key>5e9d6b760b514d6a286b1ecxxxxx</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>172.16.24.102</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
and master node seems changed wen checking
/var/ossec/bin/cluster_control -l but from dashboard api connectivity fails even i changed IP of node1 from 2 on /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml . can someone help me on tis?
Thanks and regards
Clint
Stuti Gupta
Sep 11, 2025, 6:35:41 AMSep 11
to Wazuh | Mailing List
Hi
CJK
Can you please let me know why you want to change the master node from node1 to node2? It is possible, but it is not recommended as the master node centralizes and coordinates worker nodes, ensuring the critical and required data is consistent across all nodes. And there can be only one master node.
SO it is not recommended, not unless you have a very strong reason.
If you still wish to do so, stop the current Wazuh-manager and filebeat nodes you need to first regenerate the certs using the config.yml file, make sure to switch the type as well. To generate the certs, please refer to https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/adding-new-server-nodes/certificates-creation.html#using-pre-existing-root-ca-key
Can you please let me know why you want to change the master node from node1 to node2? It is possible, but it is not recommended as the master node centralizes and coordinates worker nodes, ensuring the critical and required data is consistent across all nodes. And there can be only one master node.
SO it is not recommended, not unless you have a very strong reason.
If you still wish to do so, stop the current Wazuh-manager and filebeat nodes you need to first regenerate the certs using the config.yml file, make sure to switch the type as well. To generate the certs, please refer to https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/adding-new-server-nodes/certificates-creation.html#using-pre-existing-root-ca-key
Then you need to configure the certs https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#deploying-certificates
Once you're done with this, you need to generate the master key from the master node server. <key> is a unique 32-character key and should be the same for all of the cluster nodes. We generate a unique key with the command openssl rand -hex 16.
After that, you need to replace the old key with the newly generated key from the new master node of /var/ossec/etc/oss.conf on all the manager nodes. And chnage the configuration according to this https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/cluster-nodes-configuration.html#master-node
Let me know if you need any further assistance
CJK
Sep 11, 2025, 6:53:06 AMSep 11
to Wazuh | Mailing List
Hi,
Thanks for your response. We are trying to relocate node1 to another DC location so, apart from master node all have been moved to new DC without interpreting SOC activities. So what I am trying to do now is
1. Change master node to node2 and set node1 as worker3
2. Then bring in a new VM as node1_temp with same Ip in old location and will switch Ip of worker3 to new VM (network devices forwarding logs to 514 of this node will continue)
3. Will turn of worker3 and transport
4. Then after I restore IPs and later master to node1 (back to normal)
Do you have any other suggestions for me? The motive is we don't want to miss logs from 250 agents and 200+ network syslog forwarding devices (currently integrated with node1-master) and transportation will take 12 hours.
Stuti Gupta
Sep 12, 2025, 3:52:01 AMSep 12
to Wazuh | Mailing List
You can also migrate node1 to another server. For which you need to have a backup and restore it. You can refer to https://documentation.wazuh.com/current/migration-guide/index.html
CJK
Sep 12, 2025, 5:39:13 AMSep 12
to Wazuh | Mailing List
Hi Stuti,
I have tried to migrate node1(master node) to new VM with same IP using the shared document backup and restore. All steps are successfully completed for Wazuh server.
Now when i check cluster status, it is active
root@m-waz-serxxx:~/root/wazuh_files_backup/2025-09-12_06:19# /var/ossec/bin/cluster_control -l
NAME TYPE VERSION ADDRESS
wazuh-master master 4.7.3 172.16.24.101
wazuh-worker0 worker 4.7.3 172.16.24.102
NAME TYPE VERSION ADDRESS
wazuh-master master 4.7.3 172.16.24.101
wazuh-worker0 worker 4.7.3 172.16.24.102
But on GUI I'm seeing an API error as below. This is kind of urgent can you help me on this ?
This is the entry on : /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
hosts:
- default:
url: https://172.16.24.101
port: 55000
username: wazuh-wui
password: "JeNBgqTU7Nke.YbstTmI..5HTim+uW6P"
run_as: true
- default2:
url: https://172.16.24.102
port: 55000
username: wazuh-wui
password: "JeNBgqTU7Nke.YbstTmI..5HTim+uW6P"
run_as: true
- default:
url: https://172.16.24.101
port: 55000
username: wazuh-wui
password: "JeNBgqTU7Nke.YbstTmI..5HTim+uW6P"
run_as: true
- default2:
url: https://172.16.24.102
port: 55000
username: wazuh-wui
password: "JeNBgqTU7Nke.YbstTmI..5HTim+uW6P"
run_as: true
CJK
Sep 12, 2025, 6:47:02 AMSep 12
to Wazuh | Mailing List
When I revert to the VM-1(old vm) still it work
root@m-waz-servxxx:# curl -k -X GET "https://172.16.24.101:55000/" -H "Authorization: Bearer $(curl -u wazuh-wui:JeNBgqTU7Nke.YbstTmI..5HTim+uW6P-k -X POST 'https://172.16.24.101:55000/security/user/authenticate?raw=true')"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 100 404 100 404 0 0 316 0 0:00:01 0:00:01 --:--:-- 316
{"data": {"title": "Wazuh API REST", "api_version": "4.7.3", "revision": 40714, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/v4.7.3/LICENSE", "hostname": "m-waz-ser1", "timestamp": "2025-09-12T10:10:41Z"}, "error": 0}
Last logs for reference
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 100 404 100 404 0 0 316 0 0:00:01 0:00:01 --:--:-- 316
{"data": {"title": "Wazuh API REST", "api_version": "4.7.3", "revision": 40714, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/v4.7.3/LICENSE", "hostname": "m-waz-ser1", "timestamp": "2025-09-12T10:10:41Z"}, "error": 0}
Last logs for reference
---
Sep 12, 2025 @ 15:10:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:10:09 INFO Request failed with status code 401
Sep 12, 2025 @ 15:10:10 INFO Request failed with status code 401
Sep 12, 2025 @ 15:10:10 INFO Request failed with status code 401
Sep 12, 2025 @ 15:10:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:05 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:06 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:06 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:06 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:08 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:08 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:13 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:15 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:20:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:20:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:20:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:20:13 INFO Request failed with status code 401
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 INFO connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 INFO connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:01 INFO Request failed with status code 500
Sep 12, 2025 @ 15:25:01 INFO Request failed with status code 500
Sep 12, 2025 @ 15:26:54 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:27:19 ERROR Timeout executing API request
Sep 12, 2025 @ 15:53:13 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:10:09 INFO Request failed with status code 401
Sep 12, 2025 @ 15:10:10 INFO Request failed with status code 401
Sep 12, 2025 @ 15:10:10 INFO Request failed with status code 401
Sep 12, 2025 @ 15:10:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:05 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:06 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:06 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:06 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:07 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:08 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:08 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:11 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:15:13 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:15:15 ERROR Request failed with status code 401
Sep 12, 2025 @ 15:20:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:20:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:20:12 INFO Request failed with status code 401
Sep 12, 2025 @ 15:20:13 INFO Request failed with status code 401
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:25:00 INFO connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:00 INFO connect ECONNREFUSED 172.16.24.101:55000
Sep 12, 2025 @ 15:25:01 INFO Request failed with status code 500
Sep 12, 2025 @ 15:25:01 INFO Request failed with status code 500
Sep 12, 2025 @ 15:26:54 ERROR Request failed with status code 500
Sep 12, 2025 @ 15:27:19 ERROR Timeout executing API request
Sep 12, 2025 @ 15:53:13 ERROR Request failed with status code 500
Stuti Gupta
Sep 15, 2025, 7:25:27 AMSep 15
to Wazuh | Mailing List
After Wazuh migration, persistent 401 (Unauthorized) and 500 (Internal Server Error) API errors usually mean credentials/configuration mismatch, service issues, or data corruption in files moved between servers. These errors are common after restoring a node or cluster to a new host, especially when backup and restore procedures miss hidden files, API credential resets, or network/service discrepancies.
Review the configuration files for the Wazuh Indexer and the Wazuh Dashboard to ensure that security settings, user roles, and authentication methods are correctly defined and match the post-migration setup.Like:
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
/etc/wazuh-dashboard/opensearch_dashboards.yml
Please share the following logs;
Check the Wazuh Indexer logs: /var/log/wazuh-indexer/wazuh-cluster.log
Check the Wazuh manager logs: /var/ossec/logs/ossec.log
Check the Wazuh api logs: /var/ossec/logs/api.log
Check if the firewall is blocking the connection or network
Review the configuration files for the Wazuh Indexer and the Wazuh Dashboard to ensure that security settings, user roles, and authentication methods are correctly defined and match the post-migration setup.Like:
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
/etc/wazuh-dashboard/opensearch_dashboards.yml
Please share the following logs;
Check the Wazuh Indexer logs: /var/log/wazuh-indexer/wazuh-cluster.log
Check the Wazuh manager logs: /var/ossec/logs/ossec.log
Check the Wazuh api logs: /var/ossec/logs/api.log
Check if the firewall is blocking the connection or network
Reply all
Reply to author
Forward
0 new messages