Adding a Wazuh server node

The Wazuh server collects and analyzes security-related events, performs log analysis, and provides real-time threat detection, incident response, and compliance management capabilities.

By adding a new node to a Wazuh server cluster, you can distribute the workload and improve the scalability and resilience of your security monitoring infrastructure. It allows for better handling of a larger number of agents and provides redundancy in case of node failures.

The upscale process involves creating certificates necessary for installation, followed by configuring existing components to establish connections with the new Wazuh server node(s). Then installing and configuring the new Wazuh server node(s), and finally testing the cluster to ensure the new nodes have joined.

We have organized the steps for upscaling the Wazuh server into two subsections: one for an all-in-one deployment and the other for a distributed deployment. Your choice between these methods depends on your existing deployment and the infrastructure you aim to upscale.

All-in-one deployment:

If you have Wazuh all-in-one configuration, follow the steps outlined in the "All-in-one deployment" subsections to upscale your Wazuh server.
Distributed deployment:

For an existing distributed deployment, refer to the "Distributed deployment" subsections to upscale your Wazuh server.

Ensure you select the appropriate sub-section based on your existing deployment. If you are unsure which method aligns with your infrastructure, consider reviewing your deployment architecture before proceeding.

Note

You need root user privileges to execute the commands below.

Certificates creation

Perform the following steps on your existing Wazuh server node to generate the certificates required for secure communication among the Wazuh central components.

All-in-one deployment

We recommend creating entirely new certificates for your Wazuh server nodes. Perform the following steps to create new certificates.

Create a config.yml file in the /root directory to add the new Wazuh server node(s):

# touch /root/config.yml

Edit the /root/config.yml file with it’s content as follows:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: <WAZUH_INDEXER_NODE_NAME>
      ip: <WAZUH_INDEXER_IP>

  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP>
      node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP>

Replace the node names and IP values with your new node names and IP addresses.

You can assign a different node_type in your installation. In this documentation, we assign the master role to the existing node and the worker role to the new node.

Download and run Wazuh-certs-tool.sh to create the certificates for the new node and recreate for the existing one:
```
# curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A
```
Compress the certificates folder and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
```

Distributed deployment

We recommend you utilize pre-existing root-ca keys to generate certificates for new nodes. Perform the steps below on your existing Wazuh server node to generate the certificates.

Create a config.yml file in the /root directory to add the new Wazuh server node(s):

# touch /root/config.yml

Edit the /root/config.yml file to include the node name and IP of the new node:

nodes:
  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP>
      node_type: worker

Replace the values with your node names and their corresponding IP addresses.

Extract the wazuh-certificates.tar file.

# mkdir wazuh-install-files && tar -xf ./wazuh-certificates.tar -C wazuh-install-files

Download and run ./wazuh-certs-tool.sh to create the certificates for the new Wazuh server node using the pre-existing root-ca keys:

# curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A wazuh-install-files/root-ca.pem wazuh-install-files/root-ca.key

Copy the newly created certificates to the wazuh-install-files folder making sure not to replace the admin certificates:

# cp wazuh-certificates/<NEW_WAZUH_SERVER_NODE_NAME>* wazuh-install-files
# cp wazuh-certificates/<EXISTING_WAZUH_SERVER_NODE_NAME>* wazuh-install-files

Note

If the pre-existing root-ca keys have been deleted or if for some reasons you are not able to access them, you can proceed to create new certificates for all the nodes as follows:
Create the /root/config.yml file to reference all your nodes
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: <WAZUH_INDEXER_NODE_NAME>
      ip: <WAZUH_INDEXER_IP>

  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP>
      node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP>
Execute the wazuh-certs-tool.sh script to create the certificates.
# curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A
Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:

Compress the certificates folder into a new wazuh-certificates.tar file and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
```

Configuring existing components to connect with the new node

All-in-one deployment

Create a file, env_variables.sh, in the /root directory of the existing node where you define your environmental variables as follows:
```
export NODE_NAME1=<WAZUH_INDEXER_NODE_NAME>
export NODE_NAME2=<EXISTING_WAZUH_SERVER_NODE_NAME>
export NODE_NAME3=<WAZUH_DASHBOARD_NODE_NAME>
```
Replace <WAZUH_INDEXER_NODE_NAME>, <EXISTING_WAZUH_SERVER_NODE_NAME>, <WAZUH_DASHBOARD_NODE_NAME> with the names of the Wazuh indexer, Wazuh server and Wazuh dashboard nodes respectively as defined in /root/config.yml.

Create a deploy-certificates.sh script in the /root directory and paste the following to it:

#!/bin/bash

# Source the environmental variables from the external file
source ~/env_variables.sh

rm -rf /etc/wazuh-indexer/certs
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME1.pem ./$NODE_NAME1-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

rm -rf /etc/filebeat/certs
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME2.pem ./$NODE_NAME2-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME2.pem /etc/filebeat/certs/wazuh-server.pem
mv -n /etc/filebeat/certs/$NODE_NAME2-key.pem /etc/filebeat/certs/wazuh-server-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

rm -rf /etc/wazuh-dashboard/certs
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME3.pem ./$NODE_NAME3-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Deploy the certificates by executing the following command:
```
# bash /root/deploy-certificates.sh
```
This deploys the SSL certificates to encrypt communications between the Wazuh central components.

Recommended action: If no other Wazuh components are going to be installed on this node, remove the wazuh-certificates.tar file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:
```
# rm -rf ./wazuh-certificates
# rm -f ./wazuh-certificates.tar
```
Edit the Wazuh indexer configuration file at /etc/wazuh-indexer/opensearch.yml to specify the indexer’s IP address as mentioned in /root/config.yml file:
```
network.host: "<WAZUH_INDEXER_IP>"
node.name: "<WAZUH_INDEXER_NODE_NAME>"
cluster.initial_master_nodes:
- "<WAZUH_INDEXER_NODE_NAME>"
```
Edit the filebeat configuration file /etc/filebeat/filebeat.yml to specify the indexer’s IP address:
```
output.elasticsearchhosts:
        - <WAZUH_INDEXER_IP>:9200
```
Note

The structure of this section will vary based on whether you completed your installation using the Quickstart script or the step-by-step guide. Here we used the quickstart script.
Generate an encryption key that will be used to encrypt communication between the cluster nodes:
```
# openssl rand -hex 16
```
Save the output of the above command as it will be used later to configure cluster mode on both Wazuh server nodes.
Edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include connection details for the indexer node:
```
opensearch.hosts: https://<WAZUH_INDEXER_IP>:9200
```

Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and replace the url value with the IP address or hostname of the Wazuh server master node:

hosts:
  - default:
      url: https://<EXISTING_WAZUH_SERVER_IP_ADDRESS>
      port: 55000
      username: wazuh-wui
      password: <WAZUH_WUI_PASSWORD>
      run_as: false

Edit the Wazuh server configuration file at /var/ossec/etc/ossec.conf to enable cluster mode:
```
  <cluster>
    <name>wazuh</name>
    <node_name><EXISTING_WAZUH_SERVER_NODE_NAME></node_name>
    <node_type>master</node_type>
    <key><ENCRYPTION_KEY></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><MASTER_NODE_IP_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>
```
The configurable fields in the above section of the ossec.conf file are as follows:
- name indicates the name of the cluster.
- node_name indicates the name of the current node. Replace <EXISTING_WAZUH_SERVER_NODE_NAME> with name as specified in the /root/config.yml file.
- node_type specifies the role of the node. It has to be set to master.
- key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command openssl rand -hex 16.
- port indicates the destination port for cluster communication. Leave the default as 1516.
- bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
- nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.
- hidden shows or hides the cluster information in the generated alerts.
- disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

Restart the Wazuh services to apply the changes.

# systemctl restart wazuh-indexer
# systemctl restart filebeat
# systemctl restart wazuh-manager
# systemctl restart wazuh-dashboard

# service wazuh-indexer restart
# service filebeat restart
# service wazuh-manager restart
# service wazuh-dashboard restart

Distributed deployment

Deploy the Wazuh server certificates on your existing nodes by running the following commands replacing <EXISTING_WAZUH_SERVER_NODE_NAME> with the name of the Wazuh server node you are configuring as defined in /root/config.yml.

# NODE_NAME=<EXISTING_WAZUH_SERVER_NODE_NAME>

# rm -rf /etc/filebeat/certs
# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

Note

You’ll also have to re-deploy certificates on all your existing Wazuh node(s) if they were recreated as recommended in the note above.

Run the following commands on each of your nodes to deploy the certificates:

On Wazuh indexer node(s):

# NODE_NAME=<WAZUH_INDEXER_NODE_NAME>

# rm -rf /etc/wazuh-indexer/certs
# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

On Wazuh dashboard node:

# NODE_NAME=<WAZUH_DASHBOARD_NODE_NAME>

# rm -rf /etc/wazuh-dashboard/certs
# mkdir /etc/wazuh-dashboard/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Recommended action: If no other Wazuh components are going to be installed on this node, remove the wazuh-certificates.tar file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:

# rm -f ./wazuh-certificates.tar

Edit the Wazuh indexer configuration file at /etc/wazuh-indexer/opensearch.yml to specify the indexer’s IP address as specified in the /root/config.yml file:
```
network.host: "<WAZUH_INDEXER_IP>"
node.name: "<WAZUH_INDEXER_NODE_NAME>"
cluster.initial_master_nodes:
- "<WAZUH_INDEXER_NODE_NAME>"
```
Edit the filebeat configuration file /etc/filebeat/filebeat.yml (located in the Wazuh server node) to specify the indexer’s IP address:
```
output.elasticsearchhosts:
        - <WAZUH_INDEXER_IP>:9200
```
Note

The structure of this section will vary depending on if you did your installation using the Quickstart script or the step-by-step guide. Here we used the quickstart script.
Generate an encryption key that will be used to encrypt communication between the cluster nodes:
```
# openssl rand -hex 16
```
Save the output of the above command as it will be used later to configure cluster mode on both Wazuh server nodes.
Edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the indexer node’s IP:
```
opensearch.hosts: https://<WAZUH_INDEXER_IP>:9200
```

Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file located in the Wazuh dashboard node and replace the url value with the IP address or hostname of the Wazuh server master node:

hosts:
  - default:
      url: https://<EXISTING_WAZUH_SERVER_IP_ADDRESS>
      port: 55000
      username: wazuh-wui
      password: <WAZUH_WUI_PASSWORD>
      run_as: false

Edit the Wazuh server configuration file at /var/ossec/etc/ossec.conf to enable cluster mode:
```
  <cluster>
    <name>wazuh</name>
    <node_name><EXISTING_WAZUH_SERVER_NODE_NAME></node_name>
    <node_type>master</node_type>
    <key><ENCRYPTION_KEY></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><MASTER_NODE_IP_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>
```
The configurable fields in the above section of the ossec.conf file are as follows:
- name indicates the name of the cluster.
- node_name indicates the name of the current node. Replace <EXISTING_WAZUH_SERVER_NODE_NAME> with name as specified in the /root/config.yml file.
- node_type specifies the role of the node. It has to be set to master.
- key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command openssl rand -hex 16.
- port indicates the destination port for cluster communication. Leave the default as 1516.
- bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
- nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.
- hidden shows or hides the cluster information in the generated alerts.
- disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

Run the following commands on your respective nodes to apply the changes.

Wazuh indexer node

# systemctl restart wazuh-indexer

# service wazuh-indexer restart

Wazuh server node

# systemctl restart filebeat
# systemctl restart wazuh-manager

# service filebeat restart
# service wazuh-manager restart

Wazuh dashboard node

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Wazuh server node(s) installation

Once the certificates have been created and copied to the new node(s), you can now proceed with installing and configuring the Wazuh server node.

Adding the Wazuh repository

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

Installing the Wazuh manager

Install the Wazuh manager package.

# yum -y install wazuh-manager

# apt-get -y install wazuh-manager

Enable and start the Wazuh manager service.

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-manager
# service wazuh-manager start

Debian-based operating system:

# update-rc.d wazuh-manager defaults 95 10
# service wazuh-manager start

Check the Wazuh manager status to ensure it is up and running.
# systemctl status wazuh-manager
# service wazuh-manager status

Install and configure filebeat

Install the Filebeat package.

# yum -y install filebeat

# apt-get -y install filebeat

Download the preconfigured Filebeat configuration file:

# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.7/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:
- hosts which represents the list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer IP address accordingly.
  
  If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]:
```
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: <WAZUH_INDEXER_IP>:9200
  protocol: https
```
Create a Filebeat keystore to securely store authentication credentials:
```
# filebeat keystore create
```

Add the admin user and password to the secrets keystore:

# echo admin | filebeat keystore add username --stdin --force
# echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force

In case you are running an all-in-one deployment and using the default admin password, you could get it by running the following command:

# sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Download the alerts template for the Wazuh indexer:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.7/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module

Deploying certificates

Run the following commands in the directory where the wazuh-certificates.tar file was copied to, replacing <NEW_WAZUH_SERVER_NODE_NAME> with the name of the Wazuh server node you are configuring as defined in /root/config.yml. This deploys the SSL certificates to encrypt communications between the Wazuh central components:

Create an environment variable to store the node name
```
NODE_NAME=<NEW_WAZUH_SERVER_NODE_NAME>
```

Deploy the certificates

# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
#chown -R root:root /etc/filebeat/certs

Starting the service

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add filebeat
# service filebeat start

Debian-based operating system:

# update-rc.d filebeat defaults 95 10
# service filebeat start

Run the following command to verify that Filebeat is successfully installed:

# filebeat test output

An example output is shown below:

elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Configuring the Wazuh server worker nodes

Configure the Wazuh server worker node to enable cluster mode by editing the following settings in the /var/ossec/etc/ossec.conf file:
```
<cluster>
    <name>wazuh</name>
    <node_name><NEW_WAZUH_SERVER_NODE_NAME></node_name>
    <node_type>worker</node_type>
    <key><ENCRYPTION_KEY></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><MASTER_NODE_IP_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>
```
The configurable fields in the above section of the ossec.conf file are as follows:
- name indicates the name of the cluster.
- node_name indicates the name of the current node. Replace <EXISTING_WAZUH_SERVER_NODE_NAME> with name as specified in the /root/config.yml file.
- node_type specifies the role of the node. It has to be set to master.
- key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command openssl rand -hex 16.
- port indicates the destination port for cluster communication. Leave the default as 1516.
- bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
- nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.
- hidden shows or hides the cluster information in the generated alerts.
- disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

Restart the Wazuh manager service.

# systemctl restart wazuh-manager

# service wazuh-manager restart

Testing the cluster

Now that the installation and configuration is completed, you can proceed with testing your cluster to ensure that the new server node has indeed joined. Two possible ways of doing this:

Using the cluster control tool

Verify that the Wazuh cluster is enabled and all the nodes are connected by executing the following command on any of the Wazuh server nodes:

# /var/ossec/bin/cluster_control -l

A sample output of the command:

Output
NAME             TYPE    VERSION  ADDRESS
wazuh-server-1   master  4.7.2    10.0.0.1
wazuh-server-2   worker  4.7.2    10.0.0.2

Note that 10.0.0.1, 10.0.0.2 are example IP addresses.

Using the Wazuh API console

You can also check your new Wazuh cluster by using the API console accessible via the Wazuh dashboard.

Access the Wazuh dashboard, using the credentials as below:

URL: https://<WAZUH_DASHBOARD_IP>
Username: admin
Password: <ADMIN_PASSWORD> or admin in case you already have a distributed architecture and using the default password.

Navigate to Tools and select API Console. On the console, run the query below:

GET /cluster/healthcheck

Wazuh server cluster health check API call

This query will display a global status of your Wazuh server cluster with the following information for each node:

Name indicates the name of the server node.
Type indicates the role assigned to a node(Master or Worker).
Version indicates the version of the Wazuh-manager service running on the node.
IP is the IP address of the node.
n_active_agents indicates the number of active agents connected to the node.

Having completed these steps, the Wazuh infrastructure has been successfully scaled up, and the new server nodes have been integrated into the cluster.

If you want to uninstall the Wazuh server, see Uninstall the Wazuh server documentation.