wazuh manager master/worker nodes
75 views
Skip to first unread message
Marco Siekmann
Nov 7, 2023, 10:13:57 AM11/7/23
to Wazuh | Mailing List
Hello,
I am currently trying to scale our infrastructure for a wazuh manager cluster.
When reading the guide here: https://documentation.wazuh.com/current/user-manual/configuring-cluster/basics.html it is difficult for me to understand, what a worker exactly does.
Does the worker apply the wazuh decoders and rules for the connected agents or is this done only on the master node? Does it only serve as the connection endpoint and is a communication bridge to the master?
What happens, if the master is off due to upgrade or other maintenance?
Thanks for your help.
Marco
Juan Cabrera
Nov 8, 2023, 11:50:48 AM11/8/23
to Wazuh | Mailing List
Hello Marco,
The Wazuh cluster plays a crucial role in maintaining synchronization between the master and its worker nodes. In essence, any modifications made to decoders, rules, or lists on the master are automatically propagated to the workers, ensuring that they mirror the exact content of the master. Consequently, even if the master node becomes unavailable, the workers remain fully operational, capable of receiving events and generating alerts.
However, during the period when the master is offline, certain functions are temporarily compromised. Specifically, the ability to synchronize new changes and perform centralized tasks, such as creating groups or modifying group configurations, becomes unavailable. Additionally, using the API is not possible for obvious reasons, resulting in limitations, such as the dashboard being unable to access Wazuh information or perform tasks like restarting agents or managers.
Nonetheless, it's important to note that the cluster continues to function, allowing the querying of all newly indexed alerts originating from the worker nodes, ensuring the ongoing monitoring and detection of security events.
Regards !
The Wazuh cluster plays a crucial role in maintaining synchronization between the master and its worker nodes. In essence, any modifications made to decoders, rules, or lists on the master are automatically propagated to the workers, ensuring that they mirror the exact content of the master. Consequently, even if the master node becomes unavailable, the workers remain fully operational, capable of receiving events and generating alerts.
However, during the period when the master is offline, certain functions are temporarily compromised. Specifically, the ability to synchronize new changes and perform centralized tasks, such as creating groups or modifying group configurations, becomes unavailable. Additionally, using the API is not possible for obvious reasons, resulting in limitations, such as the dashboard being unable to access Wazuh information or perform tasks like restarting agents or managers.
Nonetheless, it's important to note that the cluster continues to function, allowing the querying of all newly indexed alerts originating from the worker nodes, ensuring the ongoing monitoring and detection of security events.
Regards !
Reply all
Reply to author
Forward
0 new messages