Skip to main content
Skip table of contents

Configuring the Hydra Wazuh cluster

Once the steps to deploy the Hydrfa from section https://docs.siemonster.com/current/universal-hydra has been completed. The Wazuh cluster configuration needs to be applied to the Hydra. This MUST be performed before any data is ingested.

NOTE⚠️ : Please see the section HERE to update the Wazuh container on the Hydra before proceeding if needed.

The following steps require access to the central EKS cluster via kubectl. With the working example we will assume that the tenant is tenant1.

Perform the following to drop into the Wazuh pod running in the central cluster

BASH 
kubectl -n siemonster exec -it tenant1-wazuh-0 bash

If you receive any kind of error after running the command, ensure that you have your AWS profile configured, and if you have more than one profile that the correct one is exported. Please refer to https://docs.siemonster.com/current/command-line-tools#Commandlinetools-AWSCLICONFIGURATION for further details on how to so.

Once connected to the POD, please run the following command to edit the configuration.

  1. Type vim /var/ossec/etc/ossec.conf and Press [ENTER]

When it opens, please perform the following in sequence

  1. Press forward slash “/” and Type cluster followed by [ENTER]
    You will be presented with an XML block that starts and ends with the following

    XML 
    <cluster>
....
</cluster>

  2. Copy the XML block as described in point 1 and Paste it in VSCode or Notepad++

  3. While keeping the kubectl session open, in a new window, SSH to the Hydra

  4. Type sudo -s and Press [ENTER]

  5. Type docker exec -it wazuh bash and Press [ENTER]

  6. Type vim /var/ossec/etc/ossec.conf and Press [ENTER]

  7. Press forward slash “/” and Type cluster followed by [ENTER]

  8. Press [INSERT] to edit

  9. Now make sure that the lines starting with the following match that of the XML block copied from the central cluster Wazuh POD

    XML 
    <name>
<key>
<disabled>

  10. Change the “<node>” line to inside.wazuh.<source_url> e.g. inside.wazuh.tenant1.example.siemonster.io

    XML 
    <node>inside.wazuh.tenant1.example.siemonster.io</node>

  11. Press [ESC] then Press [:w] (colon and w) and Press [ENTER]

  12. Your wazuh cluster configuration on the hydra should look like follows:
    NOTE: The “<key>” on line 5 is randomly generated for each cluster. This must match for the individual Wazuh manager instances to communicate.

    XML 
      <cluster>
    <name>tenant1</name>
    <node_name>worker_node01</node_name>
    <node_type>worker</node_type>
    <key>9860abe6020aaREDACTEDcfca4f71788a</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>inside.wazuh.tenant1.example.siemonster.io</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>

  13. Once you have confirmed the settings are correct, Press [:q] (colon and q ) and then Press [ENTER]

  14. Type wazuh-control restart and Press [ENTER]. Wait for the restart to complete.

  15. Wait 5 mins

  16. Type cluster_control -l and Press [ENTER]. You should receive an output like below.

Your Wazuh cluster configuration is now complete and the Hydra is ready to receive agent connections.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close