Adding a Wazuh server node
The Wazuh server collects and analyzes security-related events, performs log analysis, and provides real-time threat detection, incident response, and compliance management capabilities.
By adding a new node to a Wazuh server cluster, you can distribute the workload and improve the scalability and resilience of your security monitoring infrastructure. It allows for better handling of a larger number of agents and provides redundancy in case of node failures.
The upscale process involves creating certificates necessary for installation, followed by configuring existing components to establish connections with the new Wazuh server node(s). Then installing and configuring the new Wazuh server node(s), and finally testing the cluster to ensure the new nodes have joined.
We have organized the steps for upscaling the Wazuh server into two subsections: one for an all-in-one deployment and the other for a distributed deployment. Your choice between these methods depends on your existing deployment and the infrastructure you aim to upscale.
All-in-one deployment:
If you have Wazuh all-in-one configuration, follow the steps outlined in the "All-in-one deployment" subsections to upscale your Wazuh server.
Distributed deployment:
For an existing distributed deployment, refer to the "Distributed deployment" subsections to upscale your Wazuh server.
Ensure you select the appropriate sub-section based on your existing deployment. If you are unsure which method aligns with your infrastructure, consider reviewing your deployment architecture before proceeding.
Note
You need root user privileges to execute the commands below.
Certificates creation
Perform the following steps on your existing Wazuh server node to generate the certificates required for secure communication among the Wazuh central components.
All-in-one deployment
We recommend creating entirely new certificates for your Wazuh server nodes. Perform the following steps to create new certificates.
Create a
config.yml
file in the/root
directory to add the new Wazuh server node(s):# touch /root/config.yml
Edit the
/root/config.yml
file with it’s content as follows:nodes: # Wazuh indexer nodes indexer: - name: <WAZUH_INDEXER_NODE_NAME> ip: <WAZUH_INDEXER_IP> # Wazuh server nodes server: - name: <EXISTING_WAZUH_SERVER_NODE_NAME> ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS> node_type: master - name: <NEW_WAZUH_SERVER_NODE_NAME> ip: <NEW_WAZUH_SERVER_IP> node_type: worker # Wazuh dashboard nodes dashboard: - name: <WAZUH_DASHBOARD_NODE_NAME> ip: <WAZUH_DASHBOARD_IP>
Replace the node names and IP values with your new node names and IP addresses.
You can assign a different
node_type
in your installation. In this documentation, we assign the master role to the existing node and the worker role to the new node.Download and run
Wazuh-certs-tool.sh
to create the certificates for the new node and recreate for the existing one:# curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh # bash wazuh-certs-tool.sh -A
Compress the certificates folder and copy it to the new Wazuh server node(s). You can make use of the
scp
utility to securely copy the compressed file:# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . # scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
This will copy the certificates to the home directory of the logged in user on the target system. You can change this to specify a path to your installation directory.
Distributed deployment
We recommend you utilize pre-existing root-ca keys to generate certificates for new nodes. Perform the steps below on your existing Wazuh server node to generate the certificates.
Create a
config.yml
file in the/root
directory to add the new Wazuh server node(s):# touch /root/config.yml
Edit the
/root/config.yml
file to include the node name and IP of the new node:nodes: # Wazuh server nodes server: - name: <EXISTING_WAZUH_SERVER_NODE_NAME> ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS> node_type: master - name: <NEW_WAZUH_SERVER_NODE_NAME> ip: <NEW_WAZUH_SERVER_IP> node_type: worker
Replace the values with your node names and their corresponding IP addresses.
Extract the
wazuh-certificates.tar
file.# mkdir wazuh-install-files && tar -xf ./wazuh-certificates.tar -C wazuh-install-files
Download and run
./wazuh-certs-tool.sh
to create the certificates for the new Wazuh server node using the pre-existing root-ca keys:# curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh # bash wazuh-certs-tool.sh -A wazuh-install-files/root-ca.pem wazuh-install-files/root-ca.key
Copy the newly created certificates to the
wazuh-install-files
folder making sure not to replace the admin certificates:# cp wazuh-certificates/<NEW_WAZUH_SERVER_NODE_NAME>* wazuh-install-files # cp wazuh-certificates/<EXISTING_WAZUH_SERVER_NODE_NAME>* wazuh-install-files
Note
If the pre-existing root-ca keys have been deleted or if for some reason you are not able to access them, you can proceed to create new certificates for all the nodes as follows:
Create the
/root/config.yml
file to reference all your nodesnodes: # Wazuh indexer nodes indexer: - name: <WAZUH_INDEXER_NODE_NAME> ip: <WAZUH_INDEXER_IP> # Wazuh server nodes server: - name: <EXISTING_WAZUH_SERVER_NODE_NAME> ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS> node_type: master - name: <NEW_WAZUH_SERVER_NODE_NAME> ip: <NEW_WAZUH_SERVER_IP> node_type: worker # Wazuh dashboard nodes dashboard: - name: <WAZUH_DASHBOARD_NODE_NAME> ip: <WAZUH_DASHBOARD_IP>
Execute the
wazuh-certs-tool.sh
script to create the certificates.# curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh # bash wazuh-certs-tool.sh -A
Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the
scp
utility to securely copy the compressed file:# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . # scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
This will copy the certificates to the home directory of the logged in user on the target system. You can change this to specify a path to your installation directory.
Compress the certificates folder into a new
wazuh-certificates.tar
file and copy it to the new Wazuh server node(s). You can make use of thescp
utility to securely copy the compressed file:# tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ . # scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
This will copy the certificates to the home directory of the logged in user on the target system. You can change this to specify a path to your installation directory.
Configuring existing components to connect with the new node
All-in-one deployment
Create a file,
env_variables.sh
, in the/root
directory of the existing node where you define your environmental variables as follows:export NODE_NAME1=<WAZUH_INDEXER_NODE_NAME> export NODE_NAME2=<EXISTING_WAZUH_SERVER_NODE_NAME> export NODE_NAME3=<WAZUH_DASHBOARD_NODE_NAME>
Replace
<WAZUH_INDEXER_NODE_NAME>
,<EXISTING_WAZUH_SERVER_NODE_NAME>
,<WAZUH_DASHBOARD_NODE_NAME>
with the names of the Wazuh indexer, Wazuh server and Wazuh dashboard nodes respectively as defined in/root/config.yml
.Create a
deploy-certificates.sh
script in the/root
directory and paste the following to it:#!/bin/bash # Source the environmental variables from the external file source ~/env_variables.sh rm -rf /etc/wazuh-indexer/certs mkdir /etc/wazuh-indexer/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME1.pem ./$NODE_NAME1-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME1.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem mv -n /etc/wazuh-indexer/certs/$NODE_NAME1-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem chmod 500 /etc/wazuh-indexer/certs chmod 400 /etc/wazuh-indexer/certs/* chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs rm -rf /etc/filebeat/certs mkdir /etc/filebeat/certs tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME2.pem ./$NODE_NAME2-key.pem ./root-ca.pem mv -n /etc/filebeat/certs/$NODE_NAME2.pem /etc/filebeat/certs/wazuh-server.pem mv -n /etc/filebeat/certs/$NODE_NAME2-key.pem /etc/filebeat/certs/wazuh-server-key.pem chmod 500 /etc/filebeat/certs chmod 400 /etc/filebeat/certs/* chown -R root:root /etc/filebeat/certs rm -rf /etc/wazuh-dashboard/certs mkdir /etc/wazuh-dashboard/certs tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME3.pem ./$NODE_NAME3-key.pem ./root-ca.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem chmod 500 /etc/wazuh-dashboard/certs chmod 400 /etc/wazuh-dashboard/certs/* chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Deploy the certificates by executing the following command:
# bash /root/deploy-certificates.sh
This deploys the SSL certificates to encrypt communications between the Wazuh central components.
Recommended action: If no other Wazuh components are going to be installed on this node, remove the
wazuh-certificates.tar
file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:# rm -rf ./wazuh-certificates # rm -f ./wazuh-certificates.tar
Edit the Wazuh indexer configuration file at
/etc/wazuh-indexer/opensearch.yml
to specify the indexer’s IP address as mentioned in/root/config.yml
file:network.host: "<WAZUH_INDEXER_IP>" node.name: "<WAZUH_INDEXER_NODE_NAME>" cluster.initial_master_nodes: - "<WAZUH_INDEXER_NODE_NAME>"
Edit the Filebeat configuration file
/etc/filebeat/filebeat.yml
to specify the indexer’s IP address:output.elasticsearchhosts: - <WAZUH_INDEXER_IP>:9200
Note
The structure of this section will vary based on whether you completed your installation using the Quickstart script or the step-by-step guide. Here we used the quickstart script.
Generate an encryption key that will be used to encrypt communication between the cluster nodes:
# openssl rand -hex 16
Save the output of the above command as it will be used later to configure cluster mode on both Wazuh server nodes.
Edit the configuration file
/etc/wazuh-dashboard/opensearch_dashboards.yml
to include connection details for the indexer node:opensearch.hosts: https://<WAZUH_INDEXER_IP>:9200
Edit the
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
file and replace theurl
value with the IP address or hostname of the Wazuh server master node:hosts: - default: url: https://<EXISTING_WAZUH_SERVER_IP_ADDRESS> port: 55000 username: wazuh-wui password: <WAZUH_WUI_PASSWORD> run_as: false
Edit the Wazuh server configuration file at
/var/ossec/etc/ossec.conf
to enable cluster mode:<cluster> <name>wazuh</name> <node_name><EXISTING_WAZUH_SERVER_NODE_NAME></node_name> <node_type>master</node_type> <key><ENCRYPTION_KEY></key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node><MASTER_NODE_IP_ADDRESS></node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
The configurable fields in the above section of the
ossec.conf
file are as follows:name indicates the name of the cluster.
node_name indicates the name of the current node. Replace
<EXISTING_WAZUH_SERVER_NODE_NAME>
with name as specified in the/root/config.yml
file.node_type specifies the role of the node. It has to be set to
master
.key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command
openssl rand -hex 16
.port indicates the destination port for cluster communication. Leave the default as
1516
.bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace
<MASTER_NODE_IP_ADDRESS>
with the IP address of your master node.hidden shows or hides the cluster information in the generated alerts.
disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to
no
.
Restart the Wazuh services to apply the changes.
# systemctl restart wazuh-indexer # systemctl restart filebeat # systemctl restart wazuh-manager # systemctl restart wazuh-dashboard
# service wazuh-indexer restart # service filebeat restart # service wazuh-manager restart # service wazuh-dashboard restart
Distributed deployment
Deploy the Wazuh server certificates on your existing nodes by running the following commands replacing
<EXISTING_WAZUH_SERVER_NODE_NAME>
with the name of the Wazuh server node you are configuring as defined in/root/config.yml
.# NODE_NAME=<EXISTING_WAZUH_SERVER_NODE_NAME>
# rm -rf /etc/filebeat/certs # mkdir /etc/filebeat/certs # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem # chmod 500 /etc/filebeat/certs # chmod 400 /etc/filebeat/certs/* # chown -R root:root /etc/filebeat/certs
Note
You’ll also have to re-deploy certificates on all your existing Wazuh node(s) if they were recreated as recommended in the note above.
Run the following commands on each of your nodes to deploy the certificates:
On Wazuh indexer node(s):
# NODE_NAME=<WAZUH_INDEXER_NODE_NAME>
# rm -rf /etc/wazuh-indexer/certs # mkdir /etc/wazuh-indexer/certs # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem # mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem # mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem # chmod 500 /etc/wazuh-indexer/certs # chmod 400 /etc/wazuh-indexer/certs/* # chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
On Wazuh dashboard node:
# NODE_NAME=<WAZUH_DASHBOARD_NODE_NAME>
# rm -rf /etc/wazuh-dashboard/certs # mkdir /etc/wazuh-dashboard/certs # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem # chmod 500 /etc/wazuh-dashboard/certs # chmod 400 /etc/wazuh-dashboard/certs/* # chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Recommended action: If no other Wazuh components are going to be installed on this node, remove the
wazuh-certificates.tar
file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:# rm -f ./wazuh-certificates.tar
Edit the Wazuh indexer configuration file at
/etc/wazuh-indexer/opensearch.yml
to specify the indexer’s IP address as specified in the/root/config.yml
file:network.host: "<WAZUH_INDEXER_IP>" node.name: "<WAZUH_INDEXER_NODE_NAME>" cluster.initial_master_nodes: - "<WAZUH_INDEXER_NODE_NAME>"
Edit the Filebeat configuration file
/etc/filebeat/filebeat.yml
(located in the Wazuh server node) to specify the indexer’s IP address:output.elasticsearchhosts: - <WAZUH_INDEXER_IP>:9200
Note
The structure of this section will vary depending on if you did your installation using the Quickstart script or the step-by-step guide. Here we used the quickstart script.
Generate an encryption key that will be used to encrypt communication between the cluster nodes:
# openssl rand -hex 16
Save the output of the above command as it will be used later to configure cluster mode on both Wazuh server nodes.
Edit the configuration file
/etc/wazuh-dashboard/opensearch_dashboards.yml
to include the indexer node’s IP:opensearch.hosts: https://<WAZUH_INDEXER_IP>:9200
Edit the
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
file located in the Wazuh dashboard node and replace the url value with the IP address or hostname of the Wazuh server master node:hosts: - default: url: https://<EXISTING_WAZUH_SERVER_IP_ADDRESS> port: 55000 username: wazuh-wui password: <WAZUH_WUI_PASSWORD> run_as: false
Edit the Wazuh server configuration file at
/var/ossec/etc/ossec.conf
to enable cluster mode:<cluster> <name>wazuh</name> <node_name><EXISTING_WAZUH_SERVER_NODE_NAME></node_name> <node_type>master</node_type> <key><ENCRYPTION_KEY></key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node><MASTER_NODE_IP_ADDRESS></node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
The configurable fields in the above section of the
ossec.conf
file are as follows:name indicates the name of the cluster.
node_name indicates the name of the current node. Replace
<EXISTING_WAZUH_SERVER_NODE_NAME>
with name as specified in the/root/config.yml
file.node_type specifies the role of the node. It has to be set to
master
.key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command
openssl rand -hex 16
.port indicates the destination port for cluster communication. Leave the default as
1516
.bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace
<MASTER_NODE_IP_ADDRESS>
with the IP address of your master node.hidden shows or hides the cluster information in the generated alerts.
disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to
no
.
Run the following commands on your respective nodes to apply the changes.
Wazuh indexer node
# systemctl restart wazuh-indexer
# service wazuh-indexer restart
Wazuh server node
# systemctl restart filebeat # systemctl restart wazuh-manager
# service filebeat restart # service wazuh-manager restart
Wazuh dashboard node
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Wazuh server node(s) installation
Once the certificates have been created and copied to the new node(s), you can now proceed with installing and configuring the Wazuh server node.
Adding the Wazuh repository
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
Install the following packages if missing.
# apt-get install gnupg apt-transport-https
Install the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository.
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the packages information.
# apt-get update
Installing the Wazuh manager
Install the Wazuh manager package.
# yum -y install wazuh-manager-4.7.5-1
# apt-get -y install wazuh-manager=4.7.5-1
Enable and start the Wazuh manager service.
# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Check the Wazuh manager status to ensure it is up and running.
# systemctl status wazuh-manager
# service wazuh-manager status
Install and configure Filebeat
Install the Filebeat package.
# yum -y install filebeat
# apt-get -y install filebeat
Download the preconfigured Filebeat configuration file:
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml
Edit the
/etc/filebeat/filebeat.yml
configuration file and replace the following value:hosts
which represents the list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhosthosts: ["127.0.0.1:9200"]
. Replace it with your Wazuh indexer IP address accordingly.If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example,
hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]
:# Wazuh - Filebeat configuration file output.elasticsearch: hosts: <WAZUH_INDEXER_IP>:9200 protocol: https
Create a Filebeat keystore to securely store authentication credentials:
# filebeat keystore create
Add the admin user and password to the secrets keystore:
# echo admin | filebeat keystore add username --stdin --force # echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force
In case you are running an all-in-one deployment and using the default admin password, you could get it by running the following command:
# sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
Download the alerts template for the Wazuh indexer:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.7/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Install the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
Deploying certificates
Run the following commands in the directory where the
wazuh-certificates.tar
file was copied to, replacing<NEW_WAZUH_SERVER_NODE_NAME>
with the name of the Wazuh server node you are configuring as defined in/root/config.yml
. This deploys the SSL certificates to encrypt communications between the Wazuh central components:Create an environment variable to store the node name
NODE_NAME=<NEW_WAZUH_SERVER_NODE_NAME>
Deploy the certificates
# mkdir /etc/filebeat/certs # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem # chmod 500 /etc/filebeat/certs # chmod 400 /etc/filebeat/certs/* #chown -R root:root /etc/filebeat/certs
Starting the service
# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat
Choose one option according to the operating system used.
RPM-based operating system:
# chkconfig --add filebeat # service filebeat start
Debian-based operating system:
# update-rc.d filebeat defaults 95 10 # service filebeat start
Run the following command to verify that Filebeat is successfully installed:
# filebeat test output
An example output is shown below:
elasticsearch: https://10.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 10.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Configuring the Wazuh server worker nodes
Configure the Wazuh server worker node to enable cluster mode by editing the following settings in the
/var/ossec/etc/ossec.conf
file:<cluster> <name>wazuh</name> <node_name><NEW_WAZUH_SERVER_NODE_NAME></node_name> <node_type>worker</node_type> <key><ENCRYPTION_KEY></key> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node><MASTER_NODE_IP_ADDRESS></node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
The configurable fields in the above section of the
ossec.conf
file are as follows:name indicates the name of the cluster.
node_name indicates the name of the current node. Replace
<EXISTING_WAZUH_SERVER_NODE_NAME>
with name as specified in the/root/config.yml
file.node_type specifies the role of the node. It has to be set to
master
.key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command
openssl rand -hex 16
.port indicates the destination port for cluster communication. Leave the default as
1516
.bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace
<MASTER_NODE_IP_ADDRESS>
with the IP address of your master node.hidden shows or hides the cluster information in the generated alerts.
disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to
no
.
Restart the Wazuh manager service.
# systemctl restart wazuh-manager
# service wazuh-manager restart
Testing the cluster
Now that the installation and configuration is completed, you can proceed with testing your cluster to ensure that the new server node has indeed joined. Two possible ways of doing this:
Using the cluster control tool
Verify that the Wazuh cluster is enabled and all the nodes are connected by executing the following command on any of the Wazuh server nodes:
# /var/ossec/bin/cluster_control -l
A sample output of the command:
Output
NAME TYPE VERSION ADDRESS
wazuh-server-1 master 4.7.2 10.0.0.1
wazuh-server-2 worker 4.7.2 10.0.0.2
Note that 10.0.0.1
, 10.0.0.2
are example IP addresses.
Using the Wazuh API console
You can also check your new Wazuh cluster by using the API console accessible via the Wazuh dashboard.
Access the Wazuh dashboard, using the credentials as below:
URL:
https://<WAZUH_DASHBOARD_IP>
Username:
admin
Password:
<ADMIN_PASSWORD>
oradmin
in case you already have a distributed architecture and using the default password.
Navigate to Tools and select API Console. On the console, run the query below:
GET /cluster/healthcheck
This query will display a global status of your Wazuh server cluster with the following information for each node:
Name
indicates the name of the server node.Type
indicates the role assigned to a node(Master or Worker).Version
indicates the version of the Wazuh-manager service running on the node.IP
is the IP address of the node.n_active_agents
indicates the number of active agents connected to the node.
Having completed these steps, the Wazuh infrastructure has been successfully scaled up, and the new server nodes have been integrated into the cluster.
If you want to uninstall the Wazuh server, see Uninstall the Wazuh server documentation.