Cluster Configuration

PreviousManaging multiple Wazuh clusters with Cross-Cluster Search NextSet up Cross-Cluster Search

Last updated 2 months ago

Cluster Configuration

Clusters A & Cluster B will have the same configuration so we will cover the installation & configuration of Cluster A & we can follow the same for other clusters in the node.

This remote Wazuh cluster collects, analyzes, and stores logs from Wazuh agents within the customer A environment. It consists of a Wazuh server that collects and analyzes log data from Wazuh agents and a Wazuh indexer that stores the Wazuh alerts. It can be configured as a single-node or multi-node Wazuh cluster.

The Wazuh indexer node in cluster A trusts only the Wazuh indexer node in the CCS environment, allowing it to query its data. Alerts and log data reside in cluster A, but the CCS environment can only query the data but not store it.

Generating certificates

Note: Make sure that a copy of the root-ca.key and root-ca.pem files created during the step are in your working directory.

Download the wazuh-certs-tool.sh script and the config.yml configuration file. The wazuh-certs-tool.sh script is used to generate certificates for the cluster.

curl -sO https://packages.wazuh.com/4.9/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.9/config.yml

Edit the config.yml file and replace the name and IP values with the corresponding node name and IP address for the Wazuh server and indexer:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: ca-wazuh-indexer-1
      ip: "192.168.146.155"

  # Wazuh server nodes
  server:
    - name: ca-wazuh-server-1
      ip: "192.168.146.155"

Note: Comment out or remove the Wazuh dashboard configuration since it is not in use.

Run the wazuh-certs-tool.sh script with option -A and indicate the root-ca certificate and key created earlier to create the admin, and node certificates:

bash ./wazuh-certs-tool.sh -A ./root-ca.pem ./root-ca.key

Compress all the certificate files and remove the uncompressed version to allow for easier transfer to other component nodes within cluster A:

tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .

Wazuh indexer installation

apt-get install debconf adduser procps
apt-get install gnupg apt-transport-https

Adding GPG Keys

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Adding Repository

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

sudo apt update
apt-get -y install wazuh-indexer

Edit the /etc/wazuh-indexer/opensearch.yml configuration file and replace the following values.

network.host with the IP address of the Wazuh indexer node.
node.name with the name of the Wazuh indexer node set in the config.yml file.
cluster.initial_master_nodes with the name of the Wazuh indexer node(s) in cluster A.
cluster.name with the name of the cluster. For example, ca-cluster.
plugins.security.nodes_dn with the distinguished name (DN) of the certificate for the cluster A Wazuh indexer node(s) and the CCS Wazuh indexer node. The common names (CN) will be replaced with the node names of the cluster A Wazuh indexer node and the CCS Wazuh indexer node.

network.host: "192.168.146.155" <--CHANGE THIS-->
node.name: "ca-wazuh-indexer-1"<--CHANGE THIS-->
cluster.initial_master_nodes:
- "ca-wazuh-indexer-1"<--CHANGE THIS-->
#- "node-2"
#- "node-3"
cluster.name: "ca-cluster" <--CHANGE THIS-->
#discovery.seed_hosts:
#  - "node-1-ip"
#  - "node-2-ip"
#  - "node-3-ip"

plugins.security.nodes_dn:
- "CN=ca-wazuh-indexer-1,OU=Wazuh,O=Wazuh,L=California,C=US" <--CHANGE THIS-->
- "CN=ccs-wazuh-indexer-1,OU=Wazuh,O=Wazuh,L=California,C=US"<--CHANGE THIS-->
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"

Run the following commands, replacing <INDEXER_NODE_NAME> with the value of node.name configured in the /etc/wazuh-indexer/opensearch.yml file:

NODE_NAME=ca-wazuh-indexer-1
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Enable and start the Wazuh indexer service:

systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

Run the Wazuh indexer indexer-security-init.sh script on the Wazuh indexer node to load the new certificate information and initialize the Wazuh indexer:

/usr/share/wazuh-indexer/bin/indexer-security-init.sh

Check that the Wazuh indexer is initialized and correctly set up by running the following command:

curl -k -u admin:admin https://192.168.146.155:9200

The output should look like :

{
  "name" : "ca-wazuh-indexer-1",
  "cluster_name" : "ca-cluster",
  "cluster_uuid" : "qsOmbP79SfqEM34sHH9I6g",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Wazuh server installation

apt-get install gnupg apt-transport-https
## ADDING GPG KEYS
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
## ADDING REPOSITORY
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
## UPDATING PACKAGES
apt-get update

Installing wazuh manager & filebeat

apt-get -y install wazuh-manager
apt-get -y install filebeat

Download the preconfigured Filebeat configuration file.

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and enter the IP address of the cluster A Wazuh indexer node(s) in the hosts section:

# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["192.168.10.101:9200"]

Create a Filebeat keystore to securely store authentication credentials and add the default username and password admin:admin to the secrets keystore:

filebeat keystore create
echo admin | filebeat keystore add username --stdin --force
echo admin | filebeat keystore add password --stdin --force

Download the alerts template for the Wazuh indexer and grant appropriate read permissions:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

Replace <SERVER_NODE_NAME> with the cluster A Wazuh server node name set in config.yml when creating the certificates, and move the certificates to their corresponding directories:

NODE_NAME= ca-wazuh-server-1 <--CHANGE THIS-->
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

Save the Wazuh indexer username and password into the Wazuh manager keystore using the wazuh-keystore tool:

/var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
/var/ossec/bin/wazuh-keystore -f indexer -k password -v admin

Edit /var/ossec/etc/ossec.conf file to configure the indexer connection by adding the Wazuh indexer IP address to the <host> section of the <indexer> block:

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://192.168.146.155:9200</host> <--CHANGE THIS-->
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

Enable and start the Wazuh manager service and Filebeat service:

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl enable filebeat
systemctl start filebeat

Run the following command to verify that Filebeat is successfully installed:

filebeat test output
## THE OUTPUT SHOULD BE 
elasticsearch: https://192.168.10.101:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.10.101
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Here we ve successfully configured the Cluster A , Similiarly we can configure other clusters with the same method

In the next section we will configure the basic index patterns eo enable clusters in the centralized wazuh dashboard