installation of wazuh in cluster
64 views
Skip to first unread message
Henry Valero
Dec 6, 2024, 10:17:12 AM12/6/24
to Wazuh | Mailing List
Hi all:
When wazuh is implemented in a distributed way, that is, each separate component (wazuh-manager, wazuh-indexer and wazuh-dashboard), I understand that the workload or processing is carried out by the wazuh-manager, what would be the consideration for this component regarding Regarding storage, I assume that the agents will be approximately 100 servers.
Regarding the other component, the wazuh-indexer, since here we will store the indices and speaking of a deployment of this component in cluster mode, that is, for example, the installation will include 03 wazuh-indexer, how should the treatment be with respect to storage, each server must have its storage independent? In which case wouldn't the same data be duplicated on all three servers?
Can you clarify these doubts for me please, especially the storage in both the manager and the indexer, my intention is to deploy the wazuh in cluster mode for which I am planning to use three nodes for the wazuh-manager and 03 nodes for the wazuh- indexer
Regarding the other component, the wazuh-indexer, since here we will store the indices and speaking of a deployment of this component in cluster mode, that is, for example, the installation will include 03 wazuh-indexer, how should the treatment be with respect to storage, each server must have its storage independent? In which case wouldn't the same data be duplicated on all three servers?
Can you clarify these doubts for me please, especially the storage in both the manager and the indexer, my intention is to deploy the wazuh in cluster mode for which I am planning to use three nodes for the wazuh-manager and 03 nodes for the wazuh- indexer
Atte,
Henry
Henry Valero
Dec 6, 2024, 9:04:09 PM12/6/24
to Wazuh | Mailing List
nobody?
John Adewale Olatunde
Dec 9, 2024, 2:32:53 AM12/9/24
to Wazuh | Mailing List
Hello Henry
The storage capacity depends on how many alerts are generated per endpoint. An example of storage requirement for the Wazuh server is found here https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html#hardware-requirements while that of the Wazuh indexer is found here https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html#hardware-recommendations
Regarding your question about the data duplication on the Wazuh indexer, you can configure it using the shard and replica options to tune your Wazuh indexer installation. You can find more information here https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#shards-and-replicas
After installation, to determine if these requirements align with your specific use case and if your manager requires additional resources, you can monitor the following files:
- /var/ossec/var/run/wazuh-analysisd.state: The 'events_dropped' variable indicates whether events are being dropped due to resource limitations.
- /var/ossec/var/run/wazuh-remoted.state: The 'discarded_count' variable indicates if messages from the agents were discarded.
Ideally, these two variables should be zero, indicating that the environment is functioning properly.
- /var/ossec/var/run/wazuh-analysisd.state: The 'events_dropped' variable indicates whether events are being dropped due to resource limitations.
- /var/ossec/var/run/wazuh-remoted.state: The 'discarded_count' variable indicates if messages from the agents were discarded.
Ideally, these two variables should be zero, indicating that the environment is functioning properly.
Best regards
Reply all
Reply to author
Forward
Message has been deleted
0 new messages