Wazuh Multi Clients
38 views
Skip to first unread message
Brenno Garcia
Apr 10, 2026, 10:07:46 AMApr 10
to Wazuh | Mailing List
Hello,
What would be the best approaches for multi-client management in Wazuh?
For example, creating agent groups, creating a label = "group name", creating a user that only looks at that label, and duplicating all custom rules to apply only to the agent group (example: <field name="hostname">SRV-Client2) and keeping them in separate indexes?
Or, for example, for each client, creating a Wazuh Docker stack, allowing the rules to be maintained without the need for hostname verification, without needing to segregate indexes and users, leaving that Wazuh only for that client, in a cleaner way?
Or some other way that I haven't mentioned here?
What would be the best approaches for multi-client management in Wazuh?
For example, creating agent groups, creating a label = "group name", creating a user that only looks at that label, and duplicating all custom rules to apply only to the agent group (example: <field name="hostname">SRV-Client2) and keeping them in separate indexes?
Or, for example, for each client, creating a Wazuh Docker stack, allowing the rules to be maintained without the need for hostname verification, without needing to segregate indexes and users, leaving that Wazuh only for that client, in a cleaner way?
Or some other way that I haven't mentioned here?
Olamilekan Abdullateef Ajani
Apr 10, 2026, 10:36:47 AMApr 10
to Wazuh | Mailing List
Hello,
For a multi-client management approach, which is also an MSSP-style setup, separating stacks per client is usually the best long-term design. Especially if you have a large customer base or are planning to grow big.
When you need separation between clients: separate rules, separate users, separate dashboards, separate upgrades, and no risk of one client seeing another client’s data because they are fully isolated. Then you can have cross-cluster search layered on this, which allows alerts from remote Wazuh clusters to be queried and viewed at a centralized location without compromising the confidentiality and integrity of the data.
This is what I would recommend for your use case.
Ref:
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/
When you need separation between clients: separate rules, separate users, separate dashboards, separate upgrades, and no risk of one client seeing another client’s data because they are fully isolated. Then you can have cross-cluster search layered on this, which allows alerts from remote Wazuh clusters to be queried and viewed at a centralized location without compromising the confidentiality and integrity of the data.
This is what I would recommend for your use case.
Ref:
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/
Brenno Garcia
Apr 14, 2026, 3:31:24 AMApr 14
to Wazuh | Mailing List
Hello,
Thank you,
In this case, for each client, will a new single-node Docker stack be necessary, for example?
Do I need to change the ports? Because ports 443-1514-1515-9200-55000 will be NATed for the main container, so the new stacks will need to have different NATs?
Thank you,
In this case, for each client, will a new single-node Docker stack be necessary, for example?
Do I need to change the ports? Because ports 443-1514-1515-9200-55000 will be NATed for the main container, so the new stacks will need to have different NATs?
Such as external 443 pointing to stack1 (internal port 443) and external 10443 pointing to stack2 (internal port 443)
Olamilekan Abdullateef Ajani
Apr 15, 2026, 9:18:49 AMApr 15
to Wazuh | Mailing List
Hello,
Yes, a single instance will be fine, but please review the screenshot I shared if you are to go by this process. Each stack will have their complete structure and the only communication comes from indexer-to-indexer communication. Not from stack to stack as you put it. Each stack has a Wazuh server and indexer, and the main stack has an indexer and dashboard, which gives you visibility across all stacks.
That’s how the clusters talk to each other behind the scenes on port 9300.
Ref:
https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/
Reply all
Reply to author
Forward
0 new messages