Wazuh indexer cluster

This section provides the following information about the Wazuh indexer cluster:

Certificates deployment

Wazuh uses certificates to establish trust and confidentiality between its central components - the Wazuh indexer, the Wazuh dashboard, and Filebeat. Certificates are deployed for new installation of Wazuh or during upscaling of Wazuh central components. The required certificates are:

  • Root CA certificate: The root CA (Certificate Authority) certificate acts as the foundation of trust for a security ecosystem. It is used to authenticate the identity of all nodes within the system and to sign other certificates, thereby establishing a chain of trust.

  • Node certificates: Node certificates uniquely identify each node within the Wazuh cluster. They are used to encrypt and authenticate communications between the nodes.

    Each node certificate must include either the IP address or the DNS name of the node. This is important for the verification process during communications, ensuring that the data is indeed being sent to and received from trusted nodes. These certificates, signed by the root CA, ensure that any communication between the nodes is trusted and verified through this central authority.

  • Admin certificate: The admin certificate is a client certificate with special privileges. The Wazuh indexer uses it to perform management and security-related tasks such as initializing and managing the Wazuh indexer cluster, creating, modifying, and deleting users, as well as managing roles and permissions. It also helps ensure that only authorized commands are executed within the cluster.

You can deploy certificates using two methods:

Using the wazuh-certs-tool.sh script (default method)

The wazuh-certs-tool.sh script simplifies certificate generation for Wazuh central components and creates all the certificates required for installation. You need to create or edit the configuration file config.yml. This file references the node details like node types and IP addresses or DNS names which are used to generate certificates for each of the nodes specified in it. A template could be downloaded from our repository. These certificates are created with the following additional information:

  • C: US

  • L: California

  • O: Wazuh

  • OU: Wazuh

  • CN: Name of the node

Generating Wazuh indexer certificates

Follow the steps below to create Wazuh indexer certificates using the wazuh-certs-tool.sh script:

  1. Run the command below to download the wazuh-certs-tool.sh script in your installation directory:

    # wget https://packages.wazuh.com/4.9/wazuh-certs-tool.sh
    
  2. Create a config.yml file with the following content. We specify only the details regarding the Wazuh indexer nodes as we are focusing on creating certificates for the Wazuh indexer.

    nodes:
      # Wazuh indexer nodes
      indexer:
        - name: node-1
          ip: "<WAZUH_INDEXER_IP>"
        #- name: node-2
        #  ip: "<WAZUH_INDEXER_IP>"
        #- name: node-3
        #  ip: "<WAZUH_INDEXER_IP>"
    

    Where:

    • name represents a unique node name. You can choose any.

    • ip represents the IP address or DNS name of the node.

  3. Run the script to create the Wazuh indexer certificates:

    # bash wazuh-certs-tool.sh -A
    

    After deploying the certificates, a directory wazuh-certificates will be created in the installation directory with the following content:

    wazuh-certificates/
    ├── admin-key.pem
    ├── admin.pem
    ├── root-ca.key
    ├── root-ca.pem
    ├── node-1-key.pem
    └── node-1.pem
    

    The files in this directory are as follows:

    • root-ca.pem and root-ca.key: These files represent the root Certificate Authority (CA). The .pem file contains the public certificate, while the .key file holds the private key used for signing other certificates.

      Note

      If you are deploying a complete Wazuh infrastructure and deploying certificates for the first time you need to conserve the root CA certificate. This will be used to create and sign certificates for the Wazuh server and Wazuh dashboard nodes.

    • admin.pem and admin-key.pem: These files contain the public and private keys used by the Wazuh indexer to perform management and security-related tasks such as initializing the Wazuh indexer cluster, creating and managing users and roles.

    • node-1.pem and node-1-key.pem: The node-1.pem file contains the public key, which is distributed and trusted by other Wazuh components to authenticate the indexer node. Conversely, the node-1-key.pem file holds the private key, which is kept securely on the Wazuh indexer and used for authentication and encryption in communication with other Wazuh components.

      In a clustered environment comprising two or more Wazuh indexer nodes, unique pairs of public and private keys are generated for each node. These keys are specific to the node and are identified by the names defined in the name field of the config.yml file. These key pairs must then be transferred to their corresponding nodes.

  4. Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory /etc/wazuh-indexer/certs/ as referenced in the file /etc/wazuh-indexer/opensearch.yml. You should create the directory if it doesn’t exist.

    # mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
    # mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem
    

Generating Wazuh indexer certificates using the pre-existing root CA

Wazuh also gives the ability to create and sign the admin and node(s) certificates using a pre-existing root CA. It avoids having to recreate certificates for all the nodes.

Note

You need to use a pre-existing root CA to create Wazuh indexer certificates:

  • If you already have a root CA after generating certificates for the Wazuh server or Wazuh dashboard nodes.

  • If you need to re-install a Wazuh indexer node or add a new node to your Wazuh indexer cluster.

  1. Create a config.yml file. You must specify the details for only the Wazuh indexer node(s) you want to create certificates for, depending on the cases described in the note above.

  2. Run the command below to create Wazuh indexer certificates from the config.yml file using the pre-existing root CA keys:

    # bash wazuh-certs-tool.sh -wi /path/to/root-ca.pem /path/to/root-ca.key
    

    Where:

    • The flag -wi indicates we are creating Wazuh indexer certificates.

    • The file /path/to/root-ca.pem contains the root CA certificate.

    • The file /path/to/root-ca.key contains the root CA key.

    After deploying the certificates, a directory wazuh-certificates will be created in the installation directory with content similar to the one below:

    wazuh-certificates/
    ├── admin-key.pem
    ├── admin.pem
    ├── node-1-key.pem
    └── node-1.pem
    
  3. Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory /etc/wazuh-indexer/certs/ as referenced in the file /etc/wazuh-indexer/opensearch.yml. You should create the directory if it doesn’t exist.

    # mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
    # mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem
    

Using custom certificates

Custom certificates can be created using tools like OpenSSL. You must create the root CA, node, and admin certificates described above.

Adding Wazuh indexer nodes

Adding a new node to the Wazuh indexer cluster can enhance the capacity and resilience of the security monitoring infrastructure.

The upscale process involves creating certificates, configuring existing components to connect with the new Wazuh indexer node(s), and then installing and configuring the new node(s).

We have organized the steps for upscaling the Wazuh indexer into two subsections: one for an all-in-one deployment and the other for a distributed deployment. The choice between these methods depends on your existing deployment and the infrastructure you aim to upscale.

  • All-in-one deployment:

    If you have a Wazuh all-in-one deployment, follow the steps outlined in the "All-in-one deployment" subsection to upscale your Wazuh indexer.

  • Distributed deployment:

    For an existing distributed deployment, please refer to the "Distributed deployment" subsections to upscale your Wazuh indexer.

If you are unsure which method aligns with your infrastructure, we recommend reviewing your deployment architecture before proceeding.

Note

You need root user privileges to execute the commands below.

Certificates creation

Perform the outlined steps on your existing Wazuh indexer node to generate the certificates required for secure communication among the Wazuh central components.

All-in-one deployment

We recommend creating entirely new certificates for your Wazuh indexer nodes. Perform the following steps to create new certificates.

  1. Create a config.yml file in the /root directory to add the new Wazuh indexer node(s):

    # touch /root/config.yml
    
  2. Edit the /root/config.yml file to include the following content and replace the values with your node names and their corresponding IP addresses:

    nodes:
    # Wazuh indexer nodes
      indexer:
        - name: <EXISTING_WAZUH_INDEXER_NODE_NAME>
          ip: <EXISTING_WAZUH_INDEXER_IP>
        - name: <NEW_WAZUH_INDEXER_NODE_NAME>
          ip: <NEW_WAZUH_INDEXER_IP>
    
    # Wazuh server nodes
      server:
        - name: <WAZUH_SERVER_NODE_NAME>
          ip: <WAZUH_SERVER_IP>
    
    # Wazuh dashboard nodes
      dashboard:
        - name: <WAZUH_DASHBOARD_NODE_NAME>
          ip: <WAZUH_DASHBOARD_IP>
    
  3. Download and run ./wazuh-certs-tool.sh from your /root directory to recreate the certificates for the old and new nodes:

    # curl -sO https://packages.wazuh.com/4.8/wazuh-certs-tool.sh
    # bash wazuh-certs-tool.sh -A
    
  4. Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:

    # tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
    # scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
    

    This will copy the certificates to the home directory of the logged-in user on the target system. You can change this to specify a path to your installation directory.

Distributed deployment

We recommend you utilize pre-existing root CA keys to generate certificates for new nodes.

Perform the steps below on one indexer node only.

  1. Create a config.yml file in the /root directory to add the new Wazuh indexer node(s):

    # touch /root/config.yml
    
  2. Edit the /root/config.yml file to include the node name and IP of the new node. Replace the values with your node names and their corresponding IP addresses:

    nodes:
      # Wazuh indexer nodes
      indexer:
        - name: <NEW_WAZUH_INDEXER_NODE_NAME>
          ip: <NEW_WAZUH_INDEXER_IP>
    
  3. Extract the wazuh-certificates.tar file:

    # mkdir wazuh-install-files && tar -xf ./wazuh-certificates.tar -C wazuh-install-files
    
  4. Download and run ./wazuh-certs-tool.sh to create the certificates for the new indexer node using the pre-existing root CA keys:

    # curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
    # bash wazuh-certs-tool.sh -A wazuh-install-files/root-ca.pem wazuh-install-files/root-ca.key
    
  5. Copy the newly created certificates to the wazuh-install-files folder making sure not to replace the admin certificates:

    # cp wazuh-certificates/<NEW_WAZUH_INDEXER_NODE_NAME>* wazuh-install-files
    

    Note

    If the pre-existing root CA keys have been deleted or if you are not able to access them, you can proceed with creating new certificates for all the nodes as follows:

    1. Create the /root/config.yml file to reference all your nodes.

      nodes:
      # Wazuh indexer nodes
        indexer:
          - name: <EXISTING_WAZUH_INDEXER_NODE_NAME>
            ip: <EXISTING_WAZUH_INDEXER_IP>
          - name: <NEW_WAZUH_INDEXER_NODE_NAME>
            ip: <NEW_WAZUH_INDEXER_IP>
      
      # Wazuh server nodes
        server:
          - name: <WAZUH_SERVER_NODE_NAME>
            ip: <WAZUH_SERVER_IP>
      
      # Wazuh dashboard nodes
        dashboard:
          - name: <WAZUH_DASHBOARD_NODE_NAME>
            ip: <WAZUH_DASHBOARD_IP>
      
    2. Execute the wazuh-certs-tool.sh script to create the certificates.

      # curl -sO https://packages.wazuh.com/4.7/wazuh-certs-tool.sh
      # bash wazuh-certs-tool.sh -A
      
    3. Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:

      # tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
      # scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
      

      This will copy the certificates to the home directory of the logged in user on the target system. You can change this to specify a path to your installation directory.

  6. Compress the certificates folder into a new wazuh-certificates.tar file and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:

    # tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ .
    # scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
    

    This will copy the certificates to the home directory of the logged-in user on the target system. You can change this to specify a path to your installation directory.

Configuring existing components to connect with the new node

In this section, we configure the Wazuh components of your existing deployment to connect and communicate with the new Wazuh indexer node.

All-in-one deployment

  1. Create a file, env_variables.sh, in the /root directory of the existing node where you define your environment variables as follows:

    export NODE_NAME1=<EXISTING_WAZUH_INDEXER_NODE_NAME>
    export NODE_NAME2=<WAZUH_SERVER_NODE_NAME>
    export NODE_NAME3=<WAZUH_DASHBOARD_NODE_NAME>
    

    Replace:

    • <EXISTING_WAZUH_INDEXER_NODE_NAME>, <WAZUH_SERVER_NODE_NAME>, <WAZUH_DASHBOARD_NODE_NAME> respectively with the names of the Wazuh indexer, Wazuh server, and Wazuh dashboard nodes as defined in /root/config.yml.

  2. Create a deploy-certificates.sh script in the /root directory and add the following content:

    #!/bin/bash
    
    # Source the environmental variables from the external file
    source ~/env_variables.sh
    
    rm -rf /etc/wazuh-indexer/certs
    mkdir /etc/wazuh-indexer/certs
    tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME1.pem ./$NODE_NAME1-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
    mv -n /etc/wazuh-indexer/certs/$NODE_NAME1.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem
    mv -n /etc/wazuh-indexer/certs/$NODE_NAME1-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
    chmod 500 /etc/wazuh-indexer/certs
    chmod 400 /etc/wazuh-indexer/certs/*
    chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
    
    rm -rf /etc/filebeat/certs
    mkdir /etc/filebeat/certs
    tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME2.pem ./$NODE_NAME2-key.pem ./root-ca.pem
    mv -n /etc/filebeat/certs/$NODE_NAME2.pem /etc/filebeat/certs/wazuh-server.pem
    mv -n /etc/filebeat/certs/$NODE_NAME2-key.pem /etc/filebeat/certs/wazuh-server-key.pem
    chmod 500 /etc/filebeat/certs
    chmod 400 /etc/filebeat/certs/*
    chown -R root:root /etc/filebeat/certs
    
    rm -rf /etc/wazuh-dashboard/certs
    mkdir /etc/wazuh-dashboard/certs
    tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME3.pem ./$NODE_NAME3-key.pem ./root-ca.pem
    mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
    mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
    chmod 500 /etc/wazuh-dashboard/certs
    chmod 400 /etc/wazuh-dashboard/certs/*
    chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
    
  3. Deploy the certificates by executing the following command:

    # bash /root/deploy-certificates.sh
    

    This deploys the SSL certificates to encrypt communications between the Wazuh central components.

    Recommended action: If no other Wazuh components are going to be installed on this node, remove the wazuh-certificates.tar file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:

    # rm -rf ./wazuh-certificates
    # rm -f ./wazuh-certificates.tar
    
  4. Edit the indexer configuration file at /etc/wazuh-indexer/opensearch.yml to include the new node(s) as follows. Uncomment or add more lines, according to your /root/config.yml definitions. Create the discovery.seed_hosts section if it doesn’t exist:

    network.host: "<EXISTING_WAZUH_INDEXER_IP>"
    node.name: "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
    cluster.initial_master_nodes:
    - "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
    - "<NEW-WAZUH-INDEXER-NODE-NAME>"
    cluster.name: "wazuh-cluster"
    discovery.seed_hosts:
      - "<EXISTING_WAZUH_INDEXER_IP>"
      - "<NEW_WAZUH_INDEXER_IP>"
    plugins.security.nodes_dn:
    - "CN=<EXISTING-WAZUH-INDEXER-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
    - "CN=<NEW-WAZUH-INDEXER-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
    
  5. Edit the Filebeat configuration file /etc/filebeat/filebeat.yml to add the new Wazuh indexer node(s). Uncomment or add more lines, according to your /root/config.yml definitions:

    output.elasticsearch.hosts:
            - <EXISTING_WAZUH_INDEXER_IP>:9200
            - <NEW_WAZUH_INDEXER_IP>:9200
    output.elasticsearch:
      protocol: https
      username: ${username}
      password: ${password}
    
  6. Edit the Wazuh dashboard configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the new Wazuh indexer node(s):

    opensearch.hosts: ["https://<EXISTING_WAZUH_INDEXER_IP>:9200", "https://<NEW_WAZUH_INDEXER_IP>:9200"]
    
  7. Restart the following services to apply the changes:

    # systemctl restart wazuh-indexer
    # systemctl restart filebeat
    # systemctl restart wazuh-manager
    # systemctl restart wazuh-dashboard
    

Distributed deployment

  1. Edit the indexer configuration file at /etc/wazuh-indexer/opensearch.yml to include the new node(s) as follows. Uncomment or add more lines, according to your /root/config.yml definitions. Create the discovery.seed_hosts section if it doesn’t exist:

    network.host: "<EXISTING_WAZUH_INDEXER_IP>"
    node.name: "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
    cluster.initial_master_nodes:
    - "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
    - "<NEW-WAZUH-INDEXER-NODE-NAME>"
    cluster.name: "wazuh-cluster"
    discovery.seed_hosts:
      - "<EXISTING_WAZUH_INDEXER_IP>"
      - "<NEW_WAZUH_INDEXER_IP>"
    plugins.security.nodes_dn:
    - "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
    - "CN=<WAZUH-INDEXER2-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
    
  2. Edit the Filebeat configuration file /etc/filebeat/filebeat.yml (the file is located in the Wazuh server) to add the new Wazuh indexer node(s). Uncomment or add more lines, according to your /root/config.yml definitions:

    output.elasticsearch.hosts:
            - <EXISTING_WAZUH_INDEXER_IP>:9200
            - <NEW_WAZUH_INDEXER_IP>:9200
    output.elasticsearch:
      protocol: https
      username: ${username}
      password: ${password}
    
  3. Edit the Wazuh dashboard configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the new Wazuh indexer node(s):

    opensearch.hosts: ["https://<EXISTING_WAZUH_INDEXER_IP>:9200", "https://<NEW_WAZUH_INDEXER_IP>:9200"]
    

    Note

    You’ll have to re-deploy certificates on your existing Wazuh node(s) if they were recreated as recommended in the note above.

    Run the following commands on each of your nodes to deploy the certificates:

    1. On Wazuh indexer node(s):

      # NODE_NAME=<EXISTING_WAZUH_INDEXER_NODE_NAME>
      
      # rm -rf /etc/wazuh-indexer/certs
      # mkdir /etc/wazuh-indexer/certs
      # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
      # mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
      # mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
      # chmod 500 /etc/wazuh-indexer/certs
      # chmod 400 /etc/wazuh-indexer/certs/*
      # chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
      
    2. On Wazuh server node(s):

      # NODE_NAME=<WAZUH_SERVER_NODE_NAME>
      
      # rm -rf /etc/filebeat/certs
      # mkdir /etc/filebeat/certs
      # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
      # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/wazuh-server.pem
      # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/wazuh-server-key.pem
      # chmod 500 /etc/filebeat/certs
      # chmod 400 /etc/filebeat/certs/*
      # chown -R root:root /etc/filebeat/certs
      
    3. On Wazuh dashboard node:

      # NODE_NAME=<WAZUH_DASHBOARD_NODE_NAME>
      
      # rm -rf /etc/wazuh-dashboard/certs
      # mkdir /etc/wazuh-dashboard/certs
      # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
      # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
      # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      # chmod 500 /etc/wazuh-dashboard/certs
      # chmod 400 /etc/wazuh-dashboard/certs/*
      # chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
      
  4. Run the following commands on your respective nodes to apply the changes:

    • Wazuh indexer node

      # systemctl restart wazuh-indexer
      
    • Wazuh server node

      # systemctl restart filebeat
      # systemctl restart wazuh-manager
      
    • Wazuh dashboard node

      # systemctl restart wazuh-dashboard
      

Wazuh indexer node(s) installation

Once the certificates have been created and copied to the new node(s), you can now proceed with installing the Wazuh indexer node. Follow the steps below to install the new Wazuh indexer node(s).

  1. Install package dependencies:

    # yum install coreutils
    
  2. Add the Wazuh repository:

    • Import the GPG key:

      # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
      
    • Add the repository:

      # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
      
  3. Install the Wazuh indexer:

    # yum -y install wazuh-indexer
    

Configuring the Wazuh indexer

Edit the /etc/wazuh-indexer/opensearch.yml configuration file and replace the following values:

  • network.host: Sets the address of this node for both HTTP and HTTPS traffic. The node will bind to this address and use it as its publish address. This field accepts an IP address or a hostname.

    Use the same node address set in /root/config.yml to create the SSL certificates.

  • node.name: Name of the Wazuh indexer node as defined in the /root/config.yml file. For example, node-1.

  • cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are defined in the /root/config.yml file. Uncomment the node-2 line or add more lines, and change the node names according to your /root/config.yml definitions:

    cluster.initial_master_nodes:
    - "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
    - "<NEW_WAZUH_INDEXER_NODE_NAME>"
    
  • discovery.seed_hosts: List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. Uncomment this setting and set the IP addresses of each master-eligible node:

    discovery.seed_hosts:
      - "<EXISTING_WAZUH_INDEXER_IP>"
      - "<NEW_WAZUH_INDEXER_IP>"
    
  • plugins.security.nodes_dn: List of the distinguished names of the certificates of all the Wazuh indexer cluster nodes. Uncomment the line for node-2 and change the common names (CN) and values according to your settings and your /root/config.yml definitions:

    plugins.security.nodes_dn:
    - "CN=<EXISTING_WAZUH_INDEXER_NODE_NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
    - "CN=<NEW_WAZUH_INDEXER_NODE_NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
    

Deploying certificates

Execute the following commands in the directory where the wazuh-certificates.tar file was copied to, replacing <NEW_WAZUH_INDEXER_NODE_NAME> with the name of the Wazuh indexer node you are configuring as defined in /root/config.yml. For example, node-1. This deploys the SSL certificates to encrypt communications between the Wazuh central components:

NODE_NAME=<NEW_WAZUH_INDEXER_NODE_NAME>
# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Recommended action: If no other Wazuh components are going to be installed on this node, remove the wazuh-certificates.tar file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:

# rm -f ./wazuh-certificates.tar

Starting the service

Run the following commands to start the Wazuh indexer service:

# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

Cluster initialization

  1. Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificate information and start the cluster:

    # /usr/share/wazuh-indexer/bin/indexer-security-init.sh
    

    Note

    You only have to initialize the cluster once, there is no need to run this command on every node.

  2. Confirm the configurations work by running the command below on your Wazuh server node:

    # filebeat test output
    

    An example output is shown below:

    elasticsearch: https://10.0.0.1:9200...
      parse url... OK
      connection...
        parse host... OK
        dns lookup... OK
        addresses: 10.0.0.1
        dial up... OK
      TLS...
        security: server's certificate chain verification is enabled
        handshake... OK
        TLS version: TLSv1.3
        dial up... OK
      talk to server... OK
      version: 7.10.2
    elasticsearch: https://10.0.0.2:9200...
      parse url... OK
      connection...
        parse host... OK
        dns lookup... OK
        addresses: 10.0.0.2
        dial up... OK
      TLS...
        security: server's certificate chain verification is enabled
        handshake... OK
        TLS version: TLSv1.3
        dial up... OK
      talk to server... OK
      version: 7.10.2
    

Testing the cluster

After completing the above steps, you can proceed to test your cluster and ensure that the indexer node has been successfully added. There are two possible methods to do this:

Using the securityadmin script

The securityadmin script helps configure and manage the security settings of OpenSearch. The script lets you load, backup, restore, and migrate the security configuration files to the Wazuh indexer cluster.

Run the command below on any of the Wazuh indexer nodes to execute the securityadmin script and initialize the cluster:

# /usr/share/wazuh-indexer/bin/indexer-security-init.sh

The output should be similar to the one below. It should show the number of Wazuh indexer nodes in the cluster:

**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 192.168.21.152:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.6.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

Using the Wazuh indexer API

You can also get information about the number of nodes in the cluster by using the Wazuh indexer API.

Run the command below on any of the Wazuh indexer nodes and check the output for the field number_of_nodes to ensure it corresponds to the expected number of Wazuh indexer nodes:

# curl -XGET https:/<EXISTING_WAZUH_INDEXER_IP>:9200/_cluster/health?pretty -u admin:<ADMIN-PASSWORD> -k

Replace:

  • <EXISTING_WAZUH_INDEXER_IP> with the IP address of any of your indexer nodes.

  • <ADMIN-PASSWORD> with your administrator password.

The output of the command should be similar to the following:

{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 2,
  "number_of_data_nodes" : 2,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 20,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

You can access the Wazuh dashboard with your credentials.

  • URL: https://<WAZUH_DASHBOARD_IP>

  • Username: admin

  • Password: <ADMIN_PASSWORD> or admin in case you already have a distributed architecture and using the default password.

After the above steps are completed, your new node(s) will now be part of your cluster and your infrastructure distributed.

Cluster management

Using the Wazuh indexer API

Perform the following cluster management queries on the Wazuh dashboard console by navigating to Indexer management > Dev Tools.

  • Check the general Wazuh indexer cluster health:

    GET _cluster/health
    
  • To check cluster health based on awareness attribute, use the following:

    GET _cluster/health?level=awareness_attributes
    
  • To check the cluster health based on a specific index, use the following:

    GET _cluster/health/<INDEX-PATTERN>
    
  • List all Wazuh indexer nodes and their roles:

    GET _cat/nodes
    
  • Check the Wazuh indexer node where an index is stored:

    GET _cat/shards/wazuh-alerts-*?v
    
  • Check ISM policy for an index pattern:

    GET _opendistro/_ism/explain/wazuh-alerts-*
    
  • Check statistics about the Wazuh indexer cluster:

    GET _cluster/stats/nodes/*
    
  • Check storage allocation. This can be used to determine if the Wazuh indexer node is full. If the indexer node is full, implement the index lifecycle management to free up old indices.

    GET _cat/allocation?v&s=node
    
  • Check Wazuh indexer node attributes:

    GET _cat/nodeattrs?v&h=node,attr,value