You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 18, 2023. It is now read-only.
Wazuh (3.6) cluster on top of Kubernetes (tested with v1.10.3) with a working simple ELK stack.
Abstract
Wazuh best practices recommend deploying multiple instances of the Wazuh manager so it can support a larger amount of events and can be fault tolerant.
Master node - intended to expose the Wazuh API, manage agents registration
Based on that, we demonstrate that it's possible to deploy the Wazuh cluster in a Kubernetes cluster on top of AWS. Master and worker nodes are all behind an internal AWS elastic load balancer, so the events from agents are dispatched to any available nodes in the cluster. Kubernetes will ensure that the cluster stays highly available.
This repository is using Docker images from the wazuh-docker repository. A simple kompose convert -f docker-compose.yml helped a lot to build this Kubernetes example!
Pre-requisites
A Kubernetes cluster (tested with v1.10.3) on top of AWS. Was tested in AWS EKS.
You should be able to create Persistent Volumes on top of AWS EBS when using a volumeClaimTemplates in a Kubernetes StatefulSet.
You should be able to create a record set in AWS Route 53 from a Kubernetes LoadBalancer.
Having at least two Kubernetes node, otherwise, Wazuh manager worker nodes won't be able to boot due to the podAntiAffinity policy.
Wazuh manager cluster deployment
First, you need to deploy Kubernetes YAML files in the base folder:
Then, it's preferable you wait for the Elasticsearch Pod to be fully up and initialized before you deploy Kibana. The Kibana Pod will load Wazuh templates in the Elasticsearch installation. You can deploy the Kibana Kubernetes Deployment from the kibana folder:
This repository does not show how to deploy the Wazuh agent in a Kubernetes cluster. Normally, we would use a DaemonSet to deploy the agent on each Kubernetes node. To do that, we would need a Docker image with the Wazuh agent installed on it and then we would need to mount almost every folder of your host inside that container (/bin, /etc, /var/log, etc.). It would be a very complicated task since you cannot simply mount the /bin folder of your host in the /bin folder of your container. Therefore, creating such Docker image and using it in a Kubernetes DaemonSet is not the ideal way to deploy a Wazuh agent. Instead, you should take a look at the Wazuh Ansible playbooks project or at the Wazuh Puppet module project to deploy your Wazuh agents.
TODO
Secure the Wazuh API.
Use an enterprise class Elasticsearch cluster instead of a single node. The kubernetes-elasticsearch-cluster repository looks like a great place from where to start.
Make the Logstash deployment highly available.
Make the Kibana deployment highly available.
About
Wazuh (3.2) cluster on top of Kubernetes (tested with 1.8.6) with a working simple ELK stack.
