Set up Cross-Cluster Search

Perform the following steps on the Wazuh dashboard to enable Cross-Cluster Search from the CCS environment to the remote clusters.

URL: https://<WAZUH_DASHBOARD_IP>
Username: admin
Password: admin

Select ☰ > Indexer management > DevTools and run the following API call to connect the CCS environment to the remote Wazuh clusters on port 9300:

# Note: Add the Wazuh indexer node name for clusters A and B to the "cluster.remote" section and their corresponding IP addresses to the "seeds" section.

PUT _cluster/settings 
{
  "persistent": {
    "cluster.remote": {
      "ca-wazuh-indexer-1": {
        "seeds": ["192.168.10.101:9300"]
      },
      "cb-wazuh-indexer-1": {
        "seeds": ["192.168.20.101:9300"]
      }
    }
  }
}

Output should look like :

{
  "acknowledged": true,
  "persistent": {
    "cluster": {
      "remote": {
        "cb-wazuh-indexer-1": {
          "seeds": [
            "192.168.20.101:9300"
          ]
        },
        "ca-wazuh-indexer-1": {
          "seeds": [
            "192.168.10.101:9300"
          ]
        }
      }
    }
  },
  "transient": {}
}

Test that the remote clusters are connected by running the following API call:

GET ca-wazuh-indexer-1:wazuh-alerts-*/_search

The output should look like :

{
  "took": 833,
  "timed_out": false,
  "_shards": {
    "total": 6,
    "successful": 6,
    "skipped": 0,
    "failed": 0
  },
  "_clusters": {
    "total": 1,
    "successful": 1,
    "skipped": 0
  },
  "hits": {
    "total": {
      "value": 221,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": "ca-wazuh-indexer-1:wazuh-alerts-4.x-2024.08.25",
        "_id": "BZ40i5EB-SZRRdc_oF6H",
        "_score": 1,
        "_source": {
          "predecoder": {
            "hostname": "ccs",
            "program_name": "systemd",
            "timestamp": "Aug 25 21:22:35"
          },
          "agent": {
            "name": "cluster-a",
            "id": "000"
          },
          "manager": {
            "name": "cluster-a"
          },
          "rule": {
            "firedtimes": 1,
            "mail": false,
            "level": 5,
            "description": "Systemd: System time has been changed.",
            "groups": [
              "local",
              "systemd"
            ],
            "id": "40705",
            "gpg13": [
              "4.3"
            ],
            "gdpr": [
              "IV_35.7.d"
            ]
          },
          "decoder": {
            "name": "systemd"
          },
          "full_log": "Aug 25 21:22:35 ccs systemd: Time has been changed",
          "input": {
            "type": "log"
          },
          "@timestamp": "2024-08-25T20:22:37.091Z",
          "location": "/var/log/messages",
          "id": "1724617357.562701",
          "timestamp": "2024-08-25T21:22:37.091+0100"
        }
      },
...

Configure the `wazuh-alerts-*` index pattern

1. Select ☰ > Dashboard management > Dashboard Management > Index patterns and select Create index pattern to add the index patterns for the remote clusters.

2. Add the index pattern name using the format *:wazuh-alerts-* and select Next step. The wildcard ‘*‘ matches all indexers in the remote Wazuh clusters.

3. Select timestamp as the primary time field.

4. Select Create index pattern to create the index pattern.

5. Select ☰ > Dashboard management > App Settings > General and set the default index pattern for alerts to *:wazuh-alerts-* in the Index pattern field.

6. Select the *:wazuh-alerts-* index pattern and toggle the API between Cluster A and B to view alerts from both remote clusters.

Configure the `wazuh-states-vulnerabilities*` index pattern

1. Select ☰ > Dashboard management > Dashboard Management > Index patterns and select Create index pattern to add the index patterns for the remote clusters.

2. Add the index pattern name using the format *:wazuh-states-vulnerabilities-* and select Next step. The wildcard ‘*‘ matches all indexers in the remote Wazuh clusters.

3. Select package.installed as the primary time field. This will show you when the vulnerable package was installed.

4. Select Create index pattern to create the index pattern.

5. Select ☰ > Dashboard management > App Settings > Vulnerabilities and set the default index pattern for vulnerabilities to *:wazuh-states-vulnerabilities-* in the Index pattern field.

Troubleshooting :

This error is due to version mismatch of the filebeat config file , Matching the versions of filebeat config might solve the issue. I encountered the same while my deployment but I solved the error probably upgrading the config file version.

Resources used for this documentation :

Implementing Wazuh CCS : https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/
Wazuh Indexer : https://documentation.wazuh.com/4.9/installation-guide/wazuh-indexer/step-by-step.html
Wazuh Server : https://documentation.wazuh.com/4.9/installation-guide/wazuh-server/step-by-step.html
Wazuh Dashboard : https://documentation.wazuh.com/4.9/installation-guide/wazuh-dashboard/step-by-step.html

PreviousCluster Configuration NextUpgrading Wazuh Central Components

Last updated 11 months ago

hashtagConfigure the wazuh-alerts-* index pattern

hashtagConfigure the wazuh-states-vulnerabilities* index pattern

hashtagTroubleshooting :

hashtagResources used for this documentation :

Configure the `wazuh-alerts-*` index pattern

Configure the `wazuh-states-vulnerabilities*` index pattern

Troubleshooting :

Resources used for this documentation :