Sending alerts and logs from Wazuh all-in-one to Wazuh Cluster (2)

[jonh]

I have an architecture where I have to promptly send the generated alerts from Wazuh all-in-one to another Wazuh Cluster (and see them on Dashboard), and I also have to send logs from Wazuh all-in-one and take logs to Wazuh Cluster and archive it for 3 years in another file (not in /var/ossec/logs/archives/archive.json)

[Md. Nazmur Sakib]

Hi Jonh,


Instead of two making two completely separate deployments and sending logs from one server to another, which makes the deployment very complicated, you can follow one of these deployment architectures.


Wazuh multi-site implementation:
In this deployment, you will have multiple indexers within a single Wazuh indexer cluster.

Ref: https://wazuh.com/blog/wazuh-multi-site-implementation/

Wazuh clusters with Cross-Cluster:

In this deployment, you will have separate Wazuh indexer clusters connected by a CSS cluster to access the data from one single dashboard.


Ref: https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/




Next, You can role-based users to limit the access of data for each user.
https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html


Also, you can create different data indexes based on different sources and create retention policies based on that.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html


Please check these documents and let me know if you need any further information.

[jonh]

(Wazuh clusters with Cross-Cluster) is good solution but can I backup alerts and logs from every customer Cluster in my CCS environment?

четверг, 6 февраля 2025 г. в 11:40:14 UTC+5, Md. Nazmur Sakib:

[Md. Nazmur Sakib]

Yes, you can backup alerts and logs from every customer Cluster from your CCS environment.

I will not exactly suggest keeping the alerts in the CSS server instead I will suggest you to keep the backup in a separate server as a snapshot. Check this document:

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html

Configure snapshots to back up your alerts.
Further, you can restore those alerts from the snapshots based on your need.

You can use ILM to automate your data lifecycle management:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html


Let me know if you need any further information.

[jonh]

Thx, Im trying CCS architecture but have problem with index patern i guess, I dont have alerts from cluster A on my CCS dashboard and when I and when I specify the default index pattern i got 2 *:wazuh-alerts-* instead of one

пятница, 7 февраля 2025 г. в 11:43:25 UTC+5, Md. Nazmur Sakib:

[jonh]

and 1 more thing, should i install manager on CCS cluster, maybe thats the problem

понедельник, 10 февраля 2025 г. в 17:37:12 UTC+5, jonh:

[Md. Nazmur Sakib]

Sorry for the late response. There is no need to add a Wazuh manager to the CSS cluster. You can check the




Can you check if indices are created on your cluster A



Now change the Wazuh indexer name highlighted to match the cluster being tested.

GET ca-wazuh-indexer-1:wazuh-alerts-*/_search

Now, your index should look like this
ca-wazuh-indexer-1:wazuh-alerts-4.x-2024.08.25

For the other site, you can name it like this
cb-wazuh-indexer-

Next, configure the index pattern following this section
Configure the wazuh-alerts-* index pattern of this doc
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/

Let me know if you need any further assistance.