Set up Cross-Cluster Search

Perform the following steps on the Wazuh dashboard to enable Cross-Cluster Search from the CCS environment to the remote clusters.

Log in to the Wazuh dashboard using the login credentials:

URL: https://<WAZUH_DASHBOARD_IP>
Username: admin
Password: admin

Select ☰ > Indexer management > DevTools and run the following API call to connect the CCS environment to the remote Wazuh clusters on port 9300:

# Note: Add the Wazuh indexer node name for clusters A and B to the "cluster.remote" section and their corresponding IP addresses to the "seeds" section.

PUT _cluster/settings 
{
  "persistent": {
    "cluster.remote": {
      "ca-wazuh-indexer-1": {
        "seeds": ["192.168.10.101:9300"]
      },
      "cb-wazuh-indexer-1": {
        "seeds": ["192.168.20.101:9300"]
      }
    }
  }
}

Output should look like :

{
  "acknowledged": true,
  "persistent": {
    "cluster": {
      "remote": {
        "cb-wazuh-indexer-1": {
          "seeds": [
            "192.168.20.101:9300"
          ]
        },
        "ca-wazuh-indexer-1": {
          "seeds": [
            "192.168.10.101:9300"
          ]
        }
      }
    }
  },
  "transient": {}
}

Test that the remote clusters are connected by running the following API call:

GET ca-wazuh-indexer-1:wazuh-alerts-*/_search

The output should look like :

{
  "took": 833,
  "timed_out": false,
  "_shards": {
    "total": 6,
    "successful": 6,
    "skipped": 0,
    "failed": 0
  },
  "_clusters": {
    "total": 1,
    "successful": 1,
    "skipped": 0
  },
  "hits": {
    "total": {
      "value": 221,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": "ca-wazuh-indexer-1:wazuh-alerts-4.x-2024.08.25",
        "_id": "BZ40i5EB-SZRRdc_oF6H",
        "_score": 1,
        "_source": {
          "predecoder": {
            "hostname": "ccs",
            "program_name": "systemd",
            "timestamp": "Aug 25 21:22:35"
          },
          "agent": {
            "name": "cluster-a",
            "id": "000"
          },
          "manager": {
            "name": "cluster-a"
          },
          "rule": {
            "firedtimes": 1,
            "mail": false,
            "level": 5,
            "description": "Systemd: System time has been changed.",
            "groups": [
              "local",
              "systemd"
            ],
            "id": "40705",
            "gpg13": [
              "4.3"
            ],
            "gdpr": [
              "IV_35.7.d"
            ]
          },
          "decoder": {
            "name": "systemd"
          },
          "full_log": "Aug 25 21:22:35 ccs systemd: Time has been changed",
          "input": {
            "type": "log"
          },
          "@timestamp": "2024-08-25T20:22:37.091Z",
          "location": "/var/log/messages",
          "id": "1724617357.562701",
          "timestamp": "2024-08-25T21:22:37.091+0100"
        }
      },
...

---

Configure the wazuh-alerts-* index pattern

1. Select ☰ > Dashboard management > Dashboard Management > Index patterns and select Create index pattern to add the index patterns for the remote clusters.

2. Add the index pattern name using the format *:wazuh-alerts-* and select Next step. The wildcard ‘*‘ matches all indexers in the remote Wazuh clusters.

3. Select timestamp as the primary time field.

4. Select Create index pattern to create the index pattern.

5. Select ☰ > Dashboard management > App Settings > General and set the default index pattern for alerts to *:wazuh-alerts-* in the Index pattern field.

6. Select the *:wazuh-alerts-* index pattern and toggle the API between Cluster A and B to view alerts from both remote clusters.

---

Configure the wazuh-states-vulnerabilities* index pattern

1. Select ☰ > Dashboard management > Dashboard Management > Index patterns and select Create index pattern to add the index patterns for the remote clusters.

2. Add the index pattern name using the format *:wazuh-states-vulnerabilities-* and select Next step. The wildcard ‘*‘ matches all indexers in the remote Wazuh clusters.

3. Select package.installed as the primary time field. This will show you when the vulnerable package was installed.

4. Select Create index pattern to create the index pattern.

5. Select ☰ > Dashboard management > App Settings > Vulnerabilities and set the default index pattern for vulnerabilities to *:wazuh-states-vulnerabilities-* in the Index pattern field.

---

Troubleshooting :

This error is due to version mismatch of the filebeat config file , Matching the versions of filebeat config might solve the issue. I encountered the same while my deployment but I solved the error probably upgrading the config file version.

---

Resources used for this documentation :

1. Implementing Wazuh CCS : https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/
2. Wazuh Indexer : https://documentation.wazuh.com/4.9/installation-guide/wazuh-indexer/step-by-step.html
3. Wazuh Server : https://documentation.wazuh.com/4.9/installation-guide/wazuh-server/step-by-step.html
4. Wazuh Dashboard : https://documentation.wazuh.com/4.9/installation-guide/wazuh-dashboard/step-by-step.html