Wazun Indexer Cluster
87 views
Skip to first unread message
Sergey S
Apr 21, 2023, 9:52:19 AM4/21/23
to Wazuh mailing list
Hello.
We plan to deploy Wazuh in cluster mode. With Wazuh manager (worker - master) everything is clear. But I didn't find any detail information about Wazuh Indexer Cluster in Wazuh docs.
What is components roles (data, master)? How to specify them right?
What is components roles (data, master)? How to specify them right?
Find this open issue about documentation: https://github.com/wazuh/wazuh-documentation/issues/5290
Is following Opensearch docs in this question will be enough? https://opensearch.org/docs/latest/tuning-your-cluster/cluster/
Thanks in advance
Eli Josue Rodriguez
Apr 21, 2023, 6:11:25 PM4/21/23
to Wazuh mailing list
Hello Sergey, thanks for use Wazuh! To create a cluster you can follow the guide: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html
In the "Certificates Section" you must put the info (IP Addres and Name) for each node that you want to add to the cluster, you must deploy these certificates in all nodes, please make sure to put the right information because this make communication works between them (https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#certificates-creation). Keep following the guide and in the "Configuring the Wazuh indexer" step (https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#configuring-the-wazuh-indexer), in the network.host you must put the address 0.0.0.0 if you have multiples indexer, continue with all the next steps and you must have a successful installation for Wazuh Indexer cluster.
After that you will need to add the indexers into the filebeat configuration like explained in the following link:
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat.
Finally on the Wazuh dashboard configuration you need to add the Wazuh indexers. You can use the following documentation:
https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#configuring-the-wazuh-dashboard
As final result you will have multiples Wazuh indexers working on the cluster.
Please let me know if that helps you.
In the "Certificates Section" you must put the info (IP Addres and Name) for each node that you want to add to the cluster, you must deploy these certificates in all nodes, please make sure to put the right information because this make communication works between them (https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#certificates-creation). Keep following the guide and in the "Configuring the Wazuh indexer" step (https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#configuring-the-wazuh-indexer), in the network.host you must put the address 0.0.0.0 if you have multiples indexer, continue with all the next steps and you must have a successful installation for Wazuh Indexer cluster.
After that you will need to add the indexers into the filebeat configuration like explained in the following link:
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat.
Finally on the Wazuh dashboard configuration you need to add the Wazuh indexers. You can use the following documentation:
https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#configuring-the-wazuh-dashboard
As final result you will have multiples Wazuh indexers working on the cluster.
Please let me know if that helps you.
Message has been deleted
Sergey S
Apr 24, 2023, 4:47:22 AM4/24/23
to Wazuh mailing list
Thanks for you answer.
But what about indexer roles in cluster? Are there any kind of master/data nodes? Or they are equal?
суббота, 22 апреля 2023 г. в 00:11:25 UTC+2, Eli Josue Rodriguez:
Eli Josue Rodriguez
Apr 24, 2023, 3:07:09 PM4/24/23
to Wazuh mailing list
Hello mate, about the indexer roles you can follow the guide you mentioned before (https://opensearch.org/docs/latest/tuning-your-cluster/cluster/).
There it says "By default, each node is a cluster-manager-eligible, data, ingest, and coordinating node. Deciding on the number of nodes, assigning node types, and choosing the hardware for each node type depends on your use case. You must take into account factors like the amount of time you want to hold on to your data, the average size of your documents, your typical workload (indexing, searches, aggregations), your expected price-performance ratio, your risk tolerance, and so on."
The recommendation is to treat everyone equally. This will also depend on how much capacity you have in terms of resources, remember that distributing requires more resources and when forming a cluster you must have HA in each of the roles that your indexers have distributed.
Regards.
There it says "By default, each node is a cluster-manager-eligible, data, ingest, and coordinating node. Deciding on the number of nodes, assigning node types, and choosing the hardware for each node type depends on your use case. You must take into account factors like the amount of time you want to hold on to your data, the average size of your documents, your typical workload (indexing, searches, aggregations), your expected price-performance ratio, your risk tolerance, and so on."
The recommendation is to treat everyone equally. This will also depend on how much capacity you have in terms of resources, remember that distributing requires more resources and when forming a cluster you must have HA in each of the roles that your indexers have distributed.
Regards.
Sergey S
Apr 25, 2023, 4:17:14 AM4/25/23
to Wazuh mailing list
Thank you very much!
понедельник, 24 апреля 2023 г. в 21:07:09 UTC+2, Eli Josue Rodriguez:
Reply all
Reply to author
Forward
0 new messages