Running Wazuh on two remote sites
385 views
Skip to first unread message
Dirk Westenhaus
Jul 31, 2023, 11:00:08 AM7/31/23
to Wazuh mailing list
Hello,
would it be possible to run Wazuh in two separate sites, in a way that agents send their log data to a local Wazuh worker, have it stored in a local Wazuh Indexer cluster and operated from a local Wazuh Dashboard, BUT also being able to analyze data from a Wazuh installation in a remote site?
Please see the following diagram for hopefully better clarification.
Please see the following diagram for hopefully better clarification.
I think the main challenge would be to prevent data from being stored in a remote location, right?
Thank you and best regards, Dirk.
Gonzalo Acuña
Jul 31, 2023, 12:31:16 PM7/31/23
to Wazuh mailing list
Hi, Dirk.
It is possible to achieve what you need.
You can deploy a single Wazuh Indexer cluster across the two sites and connect the Filebeats to the corresponding nodes (from the same site).
I suggest using different index patterns to identify alerts from each Wazuh cluster. e.g.: wazuh-alerts-4.x-cluster1-* and wazuh-alerts-4.x-cluster2-*.
Also, it is possible to configure a single Wazuh dashboard, instead one per site.
Regards.
Also, it is possible to configure a single Wazuh dashboard, instead one per site.
Regards.
Dirk Westenhaus
Aug 1, 2023, 8:08:21 AM8/1/23
to Wazuh mailing list
Hi Gonzalo,
thank you for your reply.
Doesn't Opensearch automatically create replica indices all over its cluster? I guess that should be avoided, right?
Could you please elaborate a bit about setting up different index patterns? I have found a pattern configuration in /etc/filebeat/wazuh-template.json, changed it (see below) and restarted the filebeat service, but the new index name does not show up in Index Management, with opensearch-curl “…:9200/_aliases” or elsewhere.
Also, is anything to be configured in the Dashboard to pick up the new pattern?
$ sudo head /etc/filebeat/wazuh-template.json
{
"order": 0,
"index_patterns": [
"wazuh-alerts-4.x-clustera-*",
"wazuh-archives-4.x-clustera-*"
],
Also, is anything to be configured in the Dashboard to pick up the new pattern?
$ sudo head /etc/filebeat/wazuh-template.json
{
"order": 0,
"index_patterns": [
"wazuh-alerts-4.x-clustera-*",
"wazuh-archives-4.x-clustera-*"
],
Best regards, Dirk.
Dirk Westenhaus
Aug 1, 2023, 9:19:14 AM8/1/23
to Wazuh mailing list
PS: I have been following the steps from https://documentation.wazuh.com/current/user-manual/elasticsearch/configure-indices.html until step 6 (Kibana app configuration), but nothing visible changed.
Gonzalo Acuña
Aug 3, 2023, 12:37:06 PM8/3/23
to Wazuh mailing list
Hi, Dirk.
I didn't understand the requirement the first time.
You may need to use cross-cluster replication. Here is the Opensearch documentation that can help you achieve this configuration:
- https://opensearch.org/docs/latest/tuning-your-cluster/replication-plugin/index/
This is an Elasticsearch documentation that mentions what you need:
- https://www.elastic.co/guide/en/elasticsearch/reference/current/xpack-ccr.html#ccr-data-locality
About the index name, you will need to modify the /usr/share/filebeat/module/wazuh/alerts/manifest.yml file to set a custom index_prefix and restart Filebeat. e.g.:
To create a new index pattern you can use the Wazuh indexer API:
Also, you will have to configure a Wazuh dashboard connected to the Wazuh indexer cluster on the remote site.
Regards.
Gonzalo Acuña.
I didn't understand the requirement the first time.
You may need to use cross-cluster replication. Here is the Opensearch documentation that can help you achieve this configuration:
- https://opensearch.org/docs/latest/tuning-your-cluster/replication-plugin/index/
This is an Elasticsearch documentation that mentions what you need:
- https://www.elastic.co/guide/en/elasticsearch/reference/current/xpack-ccr.html#ccr-data-locality
About the index name, you will need to modify the /usr/share/filebeat/module/wazuh/alerts/manifest.yml file to set a custom index_prefix and restart Filebeat. e.g.:
module_version: 0.1
var:
- name: paths
default:
- /var/ossec/logs/alerts/alerts.json
- name: index_prefix
default: wazuh-alerts-4.x-cluster-1-
input: config/alerts.yml
ingest_pipeline: ingest/pipeline.json
To create a new index pattern you can use the Wazuh indexer API:
curl -XPOST "https://<indexer_ip>:<indexer_port>/.kibana/_doc/index-pattern:wazuh-alerts-4.x-cluster-1-*" \
-k -u <indexer_admin_user>:<indexer_admin_password> \
-H 'Content-Type: application/json' \
-d '{"type":"index-pattern","index-pattern":{"title":"wazuh-alerts-4.x-cluster-1-*","timeFieldName":"@timestamp"}}'
Also, you will have to configure a Wazuh dashboard connected to the Wazuh indexer cluster on the remote site.
Regards.
Gonzalo Acuña.
Dirk Westenhaus
Aug 7, 2023, 4:52:42 AM8/7/23
to Wazuh mailing list
Hello Gonzalo,
thank you very much for your input. I appreciate that very much.
Just to clarify: Cross-Cluster-Replication is about connecting two or more independent clusters, right? Because at this time, I have set up a single Opensearch cluster spanning over two different sites.
Would CCR still apply for a single, distributed cluster? Or would you recommend against such a setup in favour of two independent OS clusters?
I have posted a diagram of my installation here: https://groups.google.com/g/wazuh/c/QNzltwdhiIU
Thank you and best regards, Dirk.
Gonzalo Acuña
Aug 9, 2023, 10:36:20 AM8/9/23
to Wazuh mailing list
Hi.
Yes, the idea of CCR is to connect two o more clusters.
CCR should also work with a single cluster. But having 2 independent clusters will allow you to separate the information. For example, if you don't want users from cluster1 to see alerts from cluster2, the best option is to have 2 different clusters with its Wazuh dashboard instance.
Regards.
Gonzalo.
Yes, the idea of CCR is to connect two o more clusters.
CCR should also work with a single cluster. But having 2 independent clusters will allow you to separate the information. For example, if you don't want users from cluster1 to see alerts from cluster2, the best option is to have 2 different clusters with its Wazuh dashboard instance.
Regards.
Gonzalo.
Dirk Westenhaus
Aug 10, 2023, 5:22:44 AM8/10/23
to Wazuh mailing list
Hi,
short question: Would a shared certificate CA be a requirement? Or could the clusters authenticate to each other with username and password?
I find this topic a bit lacking in the Elasticsearch/Opensearch documentation.
Best regards, Dirk.
Gonzalo Acuña
Aug 11, 2023, 10:10:55 AM8/11/23
to Wazuh mailing list
Hi, Dirk.
I think this configuration must be enough to allow connections from the followers to the leader:
- https://opensearch.org/docs/latest/tuning-your-cluster/replication-plugin/getting-started/#permissions
Regards.
I think this configuration must be enough to allow connections from the followers to the leader:
- https://opensearch.org/docs/latest/tuning-your-cluster/replication-plugin/getting-started/#permissions
Regards.
Gonzalo Acuña.
Reply all
Reply to author
Forward
0 new messages