Wazuh Multi Clients
11 views
Skip to first unread message
Brenno Garcia
Apr 10, 2026, 10:07:46 AM (4 days ago) Apr 10
to Wazuh | Mailing List
Hello,
What would be the best approaches for multi-client management in Wazuh?
For example, creating agent groups, creating a label = "group name", creating a user that only looks at that label, and duplicating all custom rules to apply only to the agent group (example: <field name="hostname">SRV-Client2) and keeping them in separate indexes?
Or, for example, for each client, creating a Wazuh Docker stack, allowing the rules to be maintained without the need for hostname verification, without needing to segregate indexes and users, leaving that Wazuh only for that client, in a cleaner way?
Or some other way that I haven't mentioned here?
What would be the best approaches for multi-client management in Wazuh?
For example, creating agent groups, creating a label = "group name", creating a user that only looks at that label, and duplicating all custom rules to apply only to the agent group (example: <field name="hostname">SRV-Client2) and keeping them in separate indexes?
Or, for example, for each client, creating a Wazuh Docker stack, allowing the rules to be maintained without the need for hostname verification, without needing to segregate indexes and users, leaving that Wazuh only for that client, in a cleaner way?
Or some other way that I haven't mentioned here?
Olamilekan Abdullateef Ajani
Apr 10, 2026, 10:36:47 AM (4 days ago) Apr 10
to Wazuh | Mailing List
Hello,
For a multi-client management approach, which is also an MSSP-style setup, separating stacks per client is usually the best long-term design. Especially if you have a large customer base or are planning to grow big.
When you need separation between clients: separate rules, separate users, separate dashboards, separate upgrades, and no risk of one client seeing another client’s data because they are fully isolated. Then you can have cross-cluster search layered on this, which allows alerts from remote Wazuh clusters to be queried and viewed at a centralized location without compromising the confidentiality and integrity of the data.
This is what I would recommend for your use case.
Ref:
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/
When you need separation between clients: separate rules, separate users, separate dashboards, separate upgrades, and no risk of one client seeing another client’s data because they are fully isolated. Then you can have cross-cluster search layered on this, which allows alerts from remote Wazuh clusters to be queried and viewed at a centralized location without compromising the confidentiality and integrity of the data.
This is what I would recommend for your use case.
Ref:
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/
Brenno Garcia
3:31 AM (4 hours ago) 3:31 AM
to Wazuh | Mailing List
Hello,
Thank you,
In this case, for each client, will a new single-node Docker stack be necessary, for example?
Do I need to change the ports? Because ports 443-1514-1515-9200-55000 will be NATed for the main container, so the new stacks will need to have different NATs?
Thank you,
In this case, for each client, will a new single-node Docker stack be necessary, for example?
Do I need to change the ports? Because ports 443-1514-1515-9200-55000 will be NATed for the main container, so the new stacks will need to have different NATs?
Such as external 443 pointing to stack1 (internal port 443) and external 10443 pointing to stack2 (internal port 443)
Reply all
Reply to author
Forward
0 new messages