About wazuh's cluster structure

[Keisuke Moriai]

Dear Wazuh Team,

I would like to know about the cluster structure of wazuh.

For example, suppose we have two wazuh servers (master and worker) and several wazuh agents, and the wazuh servers are configured in a cluster.

In the agent, the above two wazuh servers are specified in the configuration file.

In such a configuration, the agent recognizes that it will try to connect to the worker when the master server stops functioning due to failure or other reasons.

Considering the possibility that this function may malfunction and the agent may connect to the worker even though there is no failure, we would like to check which agent is connected to which agent by executing commands from the wazuh server.

For example, I think it is possible to check which agent is connected to which wazuh server by checking the ossec.log of all agents, but I would like to check which agent is connected to which wazuh server by operating the wazuh server without operating the agent if possible.

If you know how to do this, I would like to know.

Sorry for my poor English, but thank you in advance.

[Rolly Davany Mougoue Kakanou]

Hello Keisuke and thanks for using Wazuh,

It is actually possible to query the agent list(Connected or available agents) directly from your server node by using the following commands:

- To retrieve a list of available agents, run /var/ossec/bin/agent_control -l on your wazuh server. This will display on output your agents with their corresponding ID, Name, IP, and Status(Active, Never Connected or Disconnected)
- If interested only in active agents, run the command /var/ossec/bin/manage_agents -l on the server. It will display the list of active agents with their ID, Name, and IP.

Hope this answers your question, feel free to revert if any other inquiries.

Regards,

[Keisuke Moriai]

Thank you for your prompt response.

I would like to confirm something.
I am aware that the commands you have provided cannot be executed from the worker, is this correct?

I am sorry that this is different from the case I mentioned earlier, but if it is possible to confirm that the agent is connected to the worker when the master is down by manipulating the worker, I would like to know how to do that as well.

2023年5月18日木曜日 16:10:51 UTC+9 Rolly Davany Mougoue Kakanou:

[Rolly Davany Mougoue Kakanou]

Hey,

Actually there is a possibility of getting all agents connected to a cluster or to a particular worker node but I thought this works if the master is down. To give it a try run the following commands on the worker node:

- /var/ossec/bin/cluster_control -a to Get all agents

- /var/ossec/bin/cluster_control -a -fn <worker_name>  to Get all agents reporting to a particular worker node

Will be waiting on your feedback.

Regards,

[Keisuke Moriai]

Thank you very much.

The commands you gave me will certainly help.
However, when I run it from the worker node when the master node is down, I get the following error

- ERROR: Error 3023 - Worker node is not connected to master

Is there any way to avoid this in this configuration due to the specifications?

2023年5月18日木曜日 19:02:34 UTC+9 Rolly Davany Mougoue Kakanou:

[Keisuke Moriai]

I'm sorry to keep contacting you.

I live in Japan, so I apologize if you are still on holiday due to the time difference, but have you been able to check on this matter?

Thank you very much for your continued support.

2023年5月19日金曜日 11:22:51 UTC+9 Keisuke Moriai:

[Rolly Davany Mougoue Kakanou]

Hi Keisuke, and sorry for the delay.

So as explained earlier in a multi-node architecture with master and worker servers, the worker greatly depends on the availability of the master. If for some reason the master is down, you won't be able to get information on your cluster since they are stored and synced with the worker from the master.

To answer your question unfortunately for now you can't get the list of connected agents if the master node is down. Since it won't be able to query the agent db on master. For more reading on the master-worker architecture, you can go through the following documentation.

Regards,

[Keisuke Moriai]

Hi Rolly,

Thank you for the detailed information.

It seems that when the master is down, the information available from the worker is quite limited.

If the master is down, would it be best practice to check each agent's ossec.log, etc. to see which wazuh-server it is connected to?
Other than that, I think it depends on the configuration, but if you have any suggestions on how to do this, I would appreciate it.

By the way, I am assuming that I will not be using the GUI in my environment this time.

2023年5月22日月曜日 17:42:22 UTC+9 Rolly Davany Mougoue Kakanou:

[Keisuke Moriai]

Sorry for repeating the question, but I have an additional question about the above.

I assumed that we would check the currently connected wazuh-manager by monitoring the agent's ossec.log, but is it possible to check which wazuh-manager is currently connected by executing a command on the agent?

If so, I would like to know the commands so that I can introduce monitoring using command monitoring, etc. if possible.

2023年5月23日火曜日 16:35:38 UTC+9 Keisuke Moriai:

[Rolly Davany Mougoue Kakanou]

Hi Keisuke,

So as explained earlier, the master node manages agent enrolment and registration. But in case needed yes you can test connectivity between the agent and a server from the agent by running the command `netstat -vatunp|grep wazuh-agentd`.
This will output the agents ip and the server node's IP to which it is connected. In this way, you could say to which of your servers a given agent is connected.

NOTE: This only works if the agent is enrolled and online.

Hope this answers your question and do not hesitate if any other.

Regards