diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js index 0afb98791d..c48bb4dee6 100644 --- a/source/_static/js/redirects.js +++ b/source/_static/js/redirects.js @@ -66,6 +66,46 @@ removedUrls['x.y'] = [ /* *** RELEASE 4.10 ****/ +/* Redirections from 4.9 to 4.10 */ + +redirections.push( + { + 'target': ['4.9=>4.10', '4.10=>4.9'], + '4.9': '/user-manual/wazuh-indexer-cluster.html', + '4.10': '/user-manual/wazuh-indexer-cluster/index.html', + }, + { + 'target': ['4.9=>4.10', '4.10=>4.9'], + '4.9': '/user-manual/wazuh-indexer-cluster.html#certificates-deployment', + '4.10': '/user-manual/wazuh-indexer-cluster/certificate-deployment.html', + }, + { + 'target': ['4.9=>4.10', '4.10=>4.9'], + '4.9': '/user-manual/wazuh-indexer-cluster.html#adding-wazuh-indexer-nodes', + '4.10': '/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.html', + }, + { + 'target': ['4.9=>4.10', '4.10=>4.9'], + '4.9': '/user-manual/wazuh-indexer-cluster.html#cluster-management', + '4.10': '/user-manual/wazuh-indexer-cluster/cluster-management.html', + }, + { + 'target': ['4.9=>4.10', '4.10=>4.9'], + '4.9': '/user-manual/wazuh-indexer/index-life-management.html', + '4.10': '/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html', + }, + { + 'target': ['4.9=>4.10', '4.10=>4.9'], + '4.9': '/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#configure-shard-allocation-awareness-or-forced-awareness', + '4.10': '/user-manual/wazuh-indexer-cluster/wazuh-indexer-cluster-tuning.html#configure-shard-allocation-awareness-or-forced-awareness', + }, + { + 'target': ['4.9=>4.10', '4.10=>4.9'], + '4.9': '/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#set-node-attributes-for-each-node-in-a-cluster', + '4.10': '/user-manual/wazuh-indexer-cluster/wazuh-indexer-cluster-tuning.html#set-node-attributes-for-each-node-in-a-cluster', + }, +); + /* Pages added in 4.10 */ newUrls['4.10'] = [ @@ -75,8 +115,21 @@ newUrls['4.10'] = [ '/user-manual/capabilities/vulnerability-detection/troubleshooting.html', '/user-manual/capabilities/vulnerability-detection/FAQ.html', '/user-manual/capabilities/vulnerability-detection/known-issues.html', + '/user-manual/wazuh-indexer-cluster/index.html', + '/user-manual/wazuh-indexer-cluster/certificate-deployment.html', + '/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.html', + '/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html', + '/user-manual/wazuh-indexer-cluster/wazuh-indexer-cluster-tuning.html', + '/user-manual/wazuh-indexer-cluster/cluster-management.html', ] +/* Pages no longer available in 4.10 */ + +removedUrls['4.10'] = [ + '/user-manual/wazuh-indexer-cluster.html', + '/user-manual/wazuh-indexer/index-life-management.html', +]; + /* *** RELEASE 4.9 ****/ /* Redirections from 4.8 to 4.9 */ diff --git a/source/_templates/installations/indexer/common/deploy_certificates.rst b/source/_templates/installations/indexer/common/deploy_certificates.rst index 37ad0b3246..387bd71991 100644 --- a/source/_templates/installations/indexer/common/deploy_certificates.rst +++ b/source/_templates/installations/indexer/common/deploy_certificates.rst @@ -1,11 +1,11 @@ .. Copyright (C) 2015, Wazuh, Inc. -#. Run the following commands replacing ```` with the name of the Wazuh indexer node you are configuring as defined in ``config.yml``. For example, ``node-1``. This deploys the SSL certificates to encrypt communications between the Wazuh central components. +#. Run the following commands replacing ```` with the name of the Wazuh indexer node you are configuring as defined in ``config.yml``. For example, ``node-1``. This deploys the SSL certificates to encrypt communications between the Wazuh central components. .. code-block:: console - # NODE_NAME= + # NODE_NAME= .. code-block:: console diff --git a/source/_templates/installations/manager/configure_wazuh_master_node.rst b/source/_templates/installations/manager/configure_wazuh_master_node.rst index e5ddbdcd20..cbe47edcb2 100644 --- a/source/_templates/installations/manager/configure_wazuh_master_node.rst +++ b/source/_templates/installations/manager/configure_wazuh_master_node.rst @@ -10,7 +10,7 @@ 1516 0.0.0.0 - WAZUH-MASTER-ADDRESS + no no diff --git a/source/_templates/installations/manager/configure_wazuh_worker_node.rst b/source/_templates/installations/manager/configure_wazuh_worker_node.rst index ddfd74bde2..e2135996dd 100644 --- a/source/_templates/installations/manager/configure_wazuh_worker_node.rst +++ b/source/_templates/installations/manager/configure_wazuh_worker_node.rst @@ -12,7 +12,7 @@ Configure the cluster node by editing the following settings in the ``/var/ossec 1516 0.0.0.0 - WAZUH-MASTER-ADDRESS + no no diff --git a/source/cloud-security/amazon/services/prerequisites/considerations.rst b/source/cloud-security/amazon/services/prerequisites/considerations.rst index a7ef86b9dd..4d9f3ec4a0 100644 --- a/source/cloud-security/amazon/services/prerequisites/considerations.rst +++ b/source/cloud-security/amazon/services/prerequisites/considerations.rst @@ -38,7 +38,7 @@ In the ``/var/ossec/etc/ossec.conf`` file of the Wazuh server or agent, the conf yes - WAZUH_AWS_BUCKET + default 123456789012 us-east-1,us-east-2 diff --git a/source/cloud-security/amazon/services/supported-services/cloudtrail.rst b/source/cloud-security/amazon/services/supported-services/cloudtrail.rst index f4770cf22e..c153fb0554 100644 --- a/source/cloud-security/amazon/services/supported-services/cloudtrail.rst +++ b/source/cloud-security/amazon/services/supported-services/cloudtrail.rst @@ -46,9 +46,9 @@ Amazon CloudTrail configuration .. code-block:: xml - //AWSLogs//CloudTrail//// + //AWSLogs//CloudTrail//// - The structure may change depending on the different configurations of the services, or changing of the ```` & ```` values by the user. + The structure may change depending on the different configurations of the services, or changing of the ```` and ```` values by the user. #. Choose log events to be recorded and click **Next**. diff --git a/source/cloud-security/amazon/services/supported-services/ecr-image-scanning.rst b/source/cloud-security/amazon/services/supported-services/ecr-image-scanning.rst index 8d5f76cabc..fa7b315293 100644 --- a/source/cloud-security/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/cloud-security/amazon/services/supported-services/ecr-image-scanning.rst @@ -141,7 +141,7 @@ You need the following Amazon ECR permissions to `push images ::repository/" + "Resource": "arn:aws:ecr:::repository/" } Amazon Lambda and Amazon EventBridge permissions diff --git a/source/cloud-service/archive-data/filename-format.rst b/source/cloud-service/archive-data/filename-format.rst index 20fa3f78ea..15e27fceb5 100644 --- a/source/cloud-service/archive-data/filename-format.rst +++ b/source/cloud-service/archive-data/filename-format.rst @@ -11,34 +11,34 @@ The files are stored in a directory structure that indicates the date and time t The main path follows this format: -``wazuh-cloud-cold-//[/]///`` +``wazuh-cloud-cold-//[/]///`` Each file has the following name: -``_[_]__.`` +``_[_]__.`` The files include the following fields: +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | field | Description | +===============================+==============================================================================================================================================================================================================================+ -| ```` | The region where the environment is located. | +| ```` | The region where the environment is located. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ```` | Cloud ID of the environment. | +| ```` | Cloud ID of the environment. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ```` | This field must be *output*. | +| ```` | This field must be *output*. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ```` | This field is only used by the output category and contains *alerts* or *archives* files. | +| ```` | This field is only used by the output category and contains *alerts* or *archives* files. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ```` | The year when the file was delivered. | +| ```` | The year when the file was delivered. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ```` | The month when the file was delivered. | +| ```` | The month when the file was delivered. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ```` | The day when the file was delivered. | +| ```` | The day when the file was delivered. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | ```` | Digits of the year, month, day, hour, and minute when the file was delivered. Hours are in 24-hour format and in UTC. A log file delivered at a specific time can contain records written at any point before that time. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | ```` | The 16-character UniqueString component of the file name prevents overwriting files. It has no meaning and log processing software should ignore it. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ```` | It is the encoding of the file. This field is *json.gz* for *output* files, which is a JSON text file in compressed gzip format, and *tar.gz* for *configuration* files. | +| ```` | It is the encoding of the file. This field is *json.gz* for *output* files, which is a JSON text file in compressed gzip format, and *tar.gz* for *configuration* files. | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/source/cloud-service/cli/index.rst b/source/cloud-service/cli/index.rst index 8bc64d68f7..a02c2c516a 100644 --- a/source/cloud-service/cli/index.rst +++ b/source/cloud-service/cli/index.rst @@ -49,7 +49,7 @@ By default, the Wazuh Cloud CLI reads the credential information from a local fi A non-default location can be specified for the config file by setting the `WAZUH_CLOUD_CREDENTIALS_FILE` environment variable to another local path. -1. Create the credentials file and add your :ref:`API key `. +1. Create the credentials file and add your :ref:`API key `. ``~/.wazuh-cloud/credentials`` @@ -65,7 +65,7 @@ A non-default location can be specified for the config file by setting the `WAZU .. code-block:: console - # wcloud-cli test-credentials --profile + # wcloud-cli test-credentials --profile .. code-block:: none :class: output diff --git a/source/cloud-service/your-environment/agents-without-internet.rst b/source/cloud-service/your-environment/agents-without-internet.rst index af0a4520d1..5f443c03d8 100644 --- a/source/cloud-service/your-environment/agents-without-internet.rst +++ b/source/cloud-service/your-environment/agents-without-internet.rst @@ -78,7 +78,7 @@ To achieve this configuration, follow these steps: .. code-block:: - WAZUH_MANAGER_IP= WAZUH_PROTOCOL="tcp" \ + WAZUH_MANAGER_IP= WAZUH_PROTOCOL="tcp" \ WAZUH_PASSWORD="" \ yum install wazuh-agent|WAZUH_AGENT_RPM_PKG_INSTALL| @@ -93,7 +93,7 @@ In case your agents are located in AWS, you can access our Wazuh Cloud service s 2. Go to the **Help** section to contact the Wazuh team requesting your VPC endpoint service name. It has this format: - ``com.amazonaws.vpce..vpce-svc-`` + ``com.amazonaws.vpce..vpce-svc-`` 3. Select your endpoints in AWS: @@ -107,7 +107,7 @@ In case your agents are located in AWS, you can access our Wazuh Cloud service s 5. After the endpoint is created, Wazuh approves the connection and sends a notification when it is ready to use. -6. You can now enroll your Wazuh agent but replace the *WAZUH_MANAGER_IP* value with the endpoint's DNS (``vpce-.vpce-svc-..vpce.amazonaws.com``). +6. You can now enroll your Wazuh agent but replace the *WAZUH_MANAGER_IP* value with the endpoint's DNS (``vpce-.vpce-svc-..vpce.amazonaws.com``). If the agents are located in a different region than your endpoint, use VPC Peerings to connect them to the endpoint service. @@ -115,7 +115,7 @@ In case your agents are located in AWS, you can access our Wazuh Cloud service s .. code-block:: - WAZUH_MANAGER_IP=vpce-.vpce-svc-..vpce.amazonaws.com WAZUH_PROTOCOL="tcp" \ + WAZUH_MANAGER_IP=vpce-.vpce-svc-..vpce.amazonaws.com WAZUH_PROTOCOL="tcp" \ WAZUH_PASSWORD=">" \ yum install wazuh-agent|WAZUH_AGENT_RPM_PKG_INSTALL| diff --git a/source/cloud-service/your-environment/settings.rst b/source/cloud-service/your-environment/settings.rst index 79b4952e44..aa14a7e334 100644 --- a/source/cloud-service/your-environment/settings.rst +++ b/source/cloud-service/your-environment/settings.rst @@ -37,7 +37,7 @@ Two settings define the behavior of the indexed data: Data remains indexed until either the indexed data retention or the indexed data capacity is reached. In other words, once either of the settings' values is reached, data rotation will occur (removing the oldest data) until the settings' conditions are met. -To configure index management policies, see :doc:`Index life management ` documentation. +To configure index management policies, see :doc:`/user-manual/wazuh-indexer-cluster/index-lifecycle-management` documentation. .. _cloud_settings_archive_data: diff --git a/source/compliance/nist/active-response.rst b/source/compliance/nist/active-response.rst index cdf3e2d790..8fc0770a1e 100644 --- a/source/compliance/nist/active-response.rst +++ b/source/compliance/nist/active-response.rst @@ -53,16 +53,16 @@ Ubuntu endpoint .. code-block:: console - # useradd - # useradd + # useradd + # useradd - In our use case, ```` is ``kon``, while ```` is ``jon``. + In our use case, ```` is ``kon``, while ```` is ``jon``. -#. Attempt to log in with the wrong credentials to the ```` account using ```` account: +#. Attempt to log in with the wrong credentials to the ```` account using ```` account: .. code-block:: console - :$ su + :$ su The image below shows the related alerts on the Wazuh dashboard: @@ -83,7 +83,7 @@ Ubuntu endpoint .. code-block:: console - # passwd --status + # passwd --status diff --git a/source/deployment-options/deploying-with-ansible/setup-remote-systems.rst b/source/deployment-options/deploying-with-ansible/setup-remote-systems.rst index 96a10e8406..99a8ba6a0a 100644 --- a/source/deployment-options/deploying-with-ansible/setup-remote-systems.rst +++ b/source/deployment-options/deploying-with-ansible/setup-remote-systems.rst @@ -22,7 +22,7 @@ Ansible does most of the work via SSH, and uses SSH authentication mechanisms. I .. code-block:: none :class: output - -u Set the connection user. + -u Set the connection user. -k Ask the password of the connection user. -b Execute task and operations with a privilege user. -K Ask for sudo password, intended for privilege escalation. diff --git a/source/deployment-options/offline-installation/installation-assistant.rst b/source/deployment-options/offline-installation/installation-assistant.rst index f88eb0eb56..92b6469582 100644 --- a/source/deployment-options/offline-installation/installation-assistant.rst +++ b/source/deployment-options/offline-installation/installation-assistant.rst @@ -54,11 +54,11 @@ Testing the cluster installation # tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 -#. Run the following command to confirm that the installation is successful. Replace ```` with the password gotten from the output of the previous command. Replace ```` with the configured Wazuh indexer IP address: +#. Run the following command to confirm that the installation is successful. Replace ```` with the password gotten from the output of the previous command. Replace ```` with the configured Wazuh indexer IP address: .. code-block:: console - # curl -k -u admin: https://:9200 + # curl -k -u admin: https://:9200 .. code-block:: none :class: output @@ -80,11 +80,11 @@ Testing the cluster installation "tagline" : "The OpenSearch Project: https://opensearch.org/" } -#. Replace ```` and ````, and run the following command to check if the cluster is working correctly: +#. Replace ```` and ````, and run the following command to check if the cluster is working correctly: .. code-block:: console - # curl -k -u admin: https://:9200/_cat/nodes?v + # curl -k -u admin: https://:9200/_cat/nodes?v Installing the Wazuh server ^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -141,7 +141,7 @@ Installing the Wazuh dashboard # bash wazuh-install.sh --offline-installation --wazuh-dashboard dashboard - The default Wazuh web user interface port is 443, used by the Wazuh dashboard. You can change this port using the optional parameter ``-p|--port ``. Some recommended ports are 8443, 8444, 8080, 8888, and 9000. + The default Wazuh web user interface port is 443, used by the Wazuh dashboard. You can change this port using the optional parameter ``-p|--port ``. Some recommended ports are 8443, 8444, 8080, 8888, and 9000. Once the assistant finishes the installation, the output shows the access credentials and a message that confirms that the installation was successful. @@ -149,7 +149,7 @@ Installing the Wazuh dashboard :emphasize-lines: 3,4 INFO: --- Summary --- - INFO: You can access the web interface https:// + INFO: You can access the web interface https:// User: admin Password: @@ -163,7 +163,7 @@ Installing the Wazuh dashboard #. Access the Wazuh web interface with your credentials. - - URL: *https://* + - URL: *https://* diff --git a/source/deployment-options/offline-installation/step-by-step.rst b/source/deployment-options/offline-installation/step-by-step.rst index d154955e59..64bd71bc49 100644 --- a/source/deployment-options/offline-installation/step-by-step.rst +++ b/source/deployment-options/offline-installation/step-by-step.rst @@ -46,11 +46,11 @@ Installing the Wazuh indexer # dpkg -i ./wazuh-offline/wazuh-packages/wazuh-indexer*.deb -#. Run the following commands replacing ```` with the name of the Wazuh indexer node you are configuring as defined in ``config.yml``. For example, ``node-1``. This deploys the SSL certificates to encrypt communications between the Wazuh central components. +#. Run the following commands replacing ```` with the name of the Wazuh indexer node you are configuring as defined in ``config.yml``. For example, ``node-1``. This deploys the SSL certificates to encrypt communications between the Wazuh central components. .. code-block:: console - # NODE_NAME= + # NODE_NAME= .. code-block:: console @@ -382,11 +382,11 @@ Installing the Wazuh dashboard # dpkg -i ./wazuh-offline/wazuh-packages/wazuh-dashboard*.deb -#. Replace ``>`` with your Wazuh dashboard node name, the same used in ``config.yml`` to create the certificates. For example, ``dashboard``. Then, move the certificates to their corresponding location. +#. Replace ```` with your Wazuh dashboard node name, the same used in ``config.yml`` to create the certificates. For example, ``dashboard``. Then, move the certificates to their corresponding location. .. code-block:: console - # NODE_NAME=> + # NODE_NAME= .. code-block:: console @@ -567,7 +567,7 @@ Select your deployment type and follow the instructions to change the default pa url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false #. Restart the Wazuh dashboard to apply the changes. diff --git a/source/deployment-options/virtual-machine/virtual-machine.rst b/source/deployment-options/virtual-machine/virtual-machine.rst index 5a5662fa1b..2e3cd42654 100644 --- a/source/deployment-options/virtual-machine/virtual-machine.rst +++ b/source/deployment-options/virtual-machine/virtual-machine.rst @@ -8,7 +8,7 @@ Virtual Machine (OVA) ===================== -Wazuh provides a pre-built virtual machine image in Open Virtual Appliance (OVA) format. This can be directly imported to VirtualBox or other OVA compatible virtualization systems. Take into account that this VM only runs on 64-bit systems. It does not provide high availability and scalability out of the box. However, these can be implemented by using :doc:`distributed deployment `. +Wazuh provides a pre-built virtual machine image in Open Virtual Appliance (OVA) format. This can be directly imported to VirtualBox or other OVA compatible virtualization systems. Take into account that this VM only runs on 64-bit systems with x86_64/AMD64 architecture. It does not provide high availability and scalability out of the box. However, these can be implemented by using :doc:`distributed deployment `. Download the `virtual appliance (OVA) `_, which contains the following components: @@ -25,18 +25,18 @@ Packages list .. |VM_AL2_64_OVA| replace:: `wazuh-|WAZUH_CURRENT_OVA|.ova `__ (`sha512 `__) .. |WAZUH_OVA_VERSION| replace:: |WAZUH_CURRENT_OVA| -+----------------+--------------+--------------+----------------------+------------------+ -| Distribution | Architecture | VM Format | Version | Package | -+================+==============+==============+======================+==================+ -| Amazon Linux 2 | 64-bit | OVA | |WAZUH_OVA_VERSION| | |VM_AL2_64_OVA| | -+----------------+--------------+--------------+----------------------+------------------+ ++----------------+-----------------------------------+--------------+----------------------+------------------+ +| Distribution | Architecture | VM Format | Version | Package | ++================+===================================+==============+======================+==================+ +| Amazon Linux 2 | 64-bit x86_64/AMD64 architecture | OVA | |WAZUH_OVA_VERSION| | |VM_AL2_64_OVA| | ++----------------+-----------------------------------+--------------+----------------------+------------------+ Hardware requirements --------------------- The following requirements have to be in place before the Wazuh VM can be imported into a host operating system: -- The host operating system has to be a 64-bit system. +- The host operating system has to be a 64-bit system with x86_64/AMD64 architecture. - Hardware virtualization has to be enabled on the firmware of the host. - A virtualization platform, such as VirtualBox, should be installed on the host system. diff --git a/source/installation-guide/wazuh-dashboard/index.rst b/source/installation-guide/wazuh-dashboard/index.rst index 03095fbed0..d930bbfaaf 100644 --- a/source/installation-guide/wazuh-dashboard/index.rst +++ b/source/installation-guide/wazuh-dashboard/index.rst @@ -74,7 +74,7 @@ Check the supported operating systems and the recommended hardware requirements Recommended operating systems ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Wazuh can be installed on a 64-bit Linux operating system. Wazuh supports the following operating system versions: +The Wazuh dashboard requires a 64-bit Intel or AMD Linux processor (x86_64/AMD64 architecture) to run. Wazuh supports the following operating system versions: .. list-table:: :width: 100% diff --git a/source/installation-guide/wazuh-dashboard/installation-assistant.rst b/source/installation-guide/wazuh-dashboard/installation-assistant.rst index 0d4fb325fb..eb9f398b19 100644 --- a/source/installation-guide/wazuh-dashboard/installation-assistant.rst +++ b/source/installation-guide/wazuh-dashboard/installation-assistant.rst @@ -27,7 +27,7 @@ Wazuh dashboard installation # bash wazuh-install.sh --wazuh-dashboard dashboard - The default Wazuh web user interface port is 443, used by the Wazuh dashboard. You can change this port using the optional parameter ``-p|--port ``. Some recommended ports are 8443, 8444, 8080, 8888, and 9000. + The default Wazuh web user interface port is 443, used by the Wazuh dashboard. You can change this port using the optional parameter ``-p|--port ``. Some recommended ports are 8443, 8444, 8080, 8888, and 9000. Once the Wazuh installation is completed, the output shows the access credentials and a message that confirms that the installation was successful. @@ -35,7 +35,7 @@ Wazuh dashboard installation :emphasize-lines: 3,4 INFO: --- Summary --- - INFO: You can access the web interface https:// + INFO: You can access the web interface https:// User: admin Password: @@ -49,7 +49,7 @@ Wazuh dashboard installation #. Access the Wazuh web interface with your credentials. - - URL: *https://* + - URL: *https://* - **Username**: *admin* - **Password**: ** diff --git a/source/installation-guide/wazuh-dashboard/step-by-step.rst b/source/installation-guide/wazuh-dashboard/step-by-step.rst index ce445b1a78..9e7f3350b1 100644 --- a/source/installation-guide/wazuh-dashboard/step-by-step.rst +++ b/source/installation-guide/wazuh-dashboard/step-by-step.rst @@ -216,7 +216,7 @@ Select your deployment type and follow the instructions to change the default pa url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false #. Restart the Wazuh dashboard to apply the changes. diff --git a/source/installation-guide/wazuh-indexer/index.rst b/source/installation-guide/wazuh-indexer/index.rst index aa19068ab7..2c9aa8d1bb 100644 --- a/source/installation-guide/wazuh-indexer/index.rst +++ b/source/installation-guide/wazuh-indexer/index.rst @@ -73,7 +73,7 @@ Check the supported operating systems and the recommended hardware requirements Recommended operating systems ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Wazuh can be installed on a 64-bit Linux operating system. Wazuh supports the following operating system versions: +The Wazuh indexer requires a 64-bit Intel or AMD Linux processor (x86_64/AMD64 architecture) to run. Wazuh supports the following operating system versions: .. list-table:: :width: 100% diff --git a/source/installation-guide/wazuh-indexer/step-by-step.rst b/source/installation-guide/wazuh-indexer/step-by-step.rst index 66597db5ee..38421a3f46 100644 --- a/source/installation-guide/wazuh-indexer/step-by-step.rst +++ b/source/installation-guide/wazuh-indexer/step-by-step.rst @@ -71,7 +71,7 @@ Generating the SSL certificates ip: "" - To learn more about how to create and configure the certificates, see the :ref:`certificates_deployment` section. + To learn more about how to create and configure the certificates, see the :doc:`/user-manual/wazuh-indexer-cluster/certificate-deployment` section. #. Run ``./wazuh-certs-tool.sh`` to create the certificates. For a multi-node cluster, these certificates need to be later deployed to all Wazuh instances in your cluster. diff --git a/source/installation-guide/wazuh-server/index.rst b/source/installation-guide/wazuh-server/index.rst index c5be54b0b1..8de87c1f15 100644 --- a/source/installation-guide/wazuh-server/index.rst +++ b/source/installation-guide/wazuh-server/index.rst @@ -74,7 +74,7 @@ Check the supported operating systems and the recommended hardware requirements Recommended operating systems ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Wazuh server can be installed on a 64-bit Linux operating system. Wazuh supports the following operating system versions: +The Wazuh server requires a 64-bit Intel or AMD Linux processor (x86_64/AMD64 architecture) to run. Wazuh supports the following operating system versions: .. list-table:: :width: 100% diff --git a/source/quickstart.rst b/source/quickstart.rst index 671d77f099..af22cf173e 100644 --- a/source/quickstart.rst +++ b/source/quickstart.rst @@ -45,8 +45,7 @@ For larger environments we recommend a distributed deployment. Multi-node cluste Operating system ^^^^^^^^^^^^^^^^ -Wazuh central components can be installed on a 64-bit Linux operating system. Wazuh recommends any of the following operating system versions: - +The Wazuh central components require a 64-bit Intel or AMD Linux processor (x86_64/AMD64 architecture) to run. Wazuh recommends any of the following operating system versions: .. list-table:: :width: 100% @@ -74,14 +73,14 @@ Installing Wazuh :emphasize-lines: 4 INFO: --- Summary --- - INFO: You can access the web interface https:// + INFO: You can access the web interface https:// User: admin Password: INFO: Installation finished. You now have installed and configured Wazuh. -#. Access the Wazuh web interface with ``https://`` and your credentials: +#. Access the Wazuh web interface with ``https://`` and your credentials: - Username: admin - Password: diff --git a/source/release-notes/release-4-10-0.rst b/source/release-notes/release-4-10-0.rst index be3d69cf8c..13b917e06c 100644 --- a/source/release-notes/release-4-10-0.rst +++ b/source/release-notes/release-4-10-0.rst @@ -8,6 +8,20 @@ This section lists the changes in version 4.10.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases. +Highlights +---------- + +This release delivers key improvements across several areas, including enhanced debugging, expanded integration capabilities, standardised logging, refined compliance checks, and an improved dashboard user experience. + +Key features include the following: + +- `Wazuh debug symbols generation `__: Debug symbols are now generated during builds for macOS, Linux, and Windows, with crash dump generation by default in installers. Adequate documentation is provided for users to disable the crash dump generation process. +- `Standardized logging for cloud integrations `__: A logger has been introduced to standardize logs for cloud integration modules, improving log management and consistency. +- `Microsoft Intune integration `__: Integration with Microsoft Intune allows Wazuh to retrieve audit logs from managed devices, process them using built-in decoders and rules, and generate actionable security alerts. +- `Vulnerability evaluation status `__: A new field has been introduced to indicate whether a vulnerability is under evaluation or disputed, assisting users in tracking vulnerabilities still awaiting analysis in the National Vulnerability Database (NVD). +- `Wazuh Dashboard UI improvements `__: Several key sections of the Wazuh dashboard have been redesigned to improve the user experience. Changes include updates to the **Overview**, **Events**, and **Agent detail** pages, along with the addition of an **Agents management** menu. Additionally, there are redesigns of the deploy new agent page, adjustments to the loading logo size, and fixes to the vulnerability inventory table for improved usability. +- **Reworked SCA policies**: Numerous SCA policies have been reworked, including policies for Rocky Linux 8, Alma Linux 8, Amazon Linux 2023, Windows Server 2019, RedHat 9, Windows Server 2012 R2, Windows Server 2012 (no R2), Debian 10, Ubuntu 18, Amazon Linux 2, SUSE 15, macOS Ventura, and Windows 11 Enterprise.. + What's new ---------- diff --git a/source/upgrade-guide/upgrading-central-components.rst b/source/upgrade-guide/upgrading-central-components.rst index f60b1186cf..503486072b 100644 --- a/source/upgrade-guide/upgrading-central-components.rst +++ b/source/upgrade-guide/upgrading-central-components.rst @@ -229,6 +229,33 @@ Configuring Filebeat # filebeat setup --pipelines # filebeat setup --index-management -E output.logstash.enabled=false +#. If you are upgrading from versions v4.8.x or v4.9.x, manually update the ``wazuh-states-vulnerabilities-*`` mappings using the following command: + + .. code-block:: console + + curl -X PUT "https://:9200/wazuh-states-vulnerabilities-*/_mapping" -u : -k -H 'Content-Type: application/json' -d' + { + "properties": { + "vulnerability": { + "properties": { + "under_evaluation": { + "type": "boolean" + }, + "scanner": { + "properties": { + "source": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + } + } + } + ' + + Upgrading the Wazuh dashboard ----------------------------- diff --git a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/linux-endpoint.rst b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/linux-endpoint.rst index 858cfa2e92..0cf44782ec 100644 --- a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/linux-endpoint.rst +++ b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/linux-endpoint.rst @@ -17,7 +17,7 @@ Follow the steps below to configure a Linux/Unix endpoint for enrollment via the -
+
... diff --git a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/macos-endpoint.rst b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/macos-endpoint.rst index a372aae6a1..de78f8521b 100644 --- a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/macos-endpoint.rst +++ b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/macos-endpoint.rst @@ -10,14 +10,14 @@ Follow these steps to configure a macOS endpoint for enrollment via the Wazuh ag #. Launch the terminal, obtain root access, edit the Wazuh agent configuration file ``/Library/Ossec/etc/ossec.conf``, and make the following changes: - #. Include the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section. Replace ```` with the Wazuh manager IP address or FQDN of the Wazuh manager: + #. Include the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section. Replace ```` with the Wazuh manager IP address or FQDN of the Wazuh manager: .. code-block:: xml :emphasize-lines: 3 -
+
... diff --git a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/windows-endpoint.rst b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/windows-endpoint.rst index 5463665917..a32bbe4969 100644 --- a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/windows-endpoint.rst +++ b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-agent-configuration/windows-endpoint.rst @@ -15,14 +15,14 @@ The Wazuh agent installation directory depends on the architecture of the endpoi #. Using an administrator account, modify the Wazuh agent configuration file ``ossec.conf`` in the installation directory. For this guide, we are assuming a 64-bit architecture. Hence, ``C:\Program Files (x86)\ossec-agent\ossec.conf`` - - Include the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section. Replace ```` with the Wazuh manager IP address or FQDN: + - Include the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section. Replace ```` with the Wazuh manager IP address or FQDN: .. code-block:: xml :emphasize-lines: 3 -
+
... diff --git a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/importing-the-key.rst b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/importing-the-key.rst index 404a1facc1..a80cfb68ab 100644 --- a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/importing-the-key.rst +++ b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/importing-the-key.rst @@ -39,14 +39,14 @@ Follow the steps below to import the client key to a Linux/Unix endpoint: Confirm adding it?(y/n): y Added. -#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in ``/var/ossec/etc/ossec.conf``. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager. +#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in ``/var/ossec/etc/ossec.conf``. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager. .. code-block:: xml :emphasize-lines: 3 -
+
... @@ -98,14 +98,14 @@ Follow the steps below to import the client key to a Windows endpoint. Confirm adding it?(y/n): y Added. -#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in ``C:\Program Files (x86)\ossec-agent\ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. +#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in ``C:\Program Files (x86)\ossec-agent\ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. .. code-block:: xml :emphasize-lines: 3 -
+
... @@ -160,14 +160,14 @@ Follow the steps below to import the client key to a macOS endpoint: Confirm adding it?(y/n): y Added. -#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in ``/Library/Ossec/etc/ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. +#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in ``/Library/Ossec/etc/ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. .. code-block:: xml :emphasize-lines: 3 -
+
... diff --git a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/requesting-the-key.rst b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/requesting-the-key.rst index 347e5efc30..c7f1c6de83 100644 --- a/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/requesting-the-key.rst +++ b/source/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/requesting-the-key.rst @@ -18,11 +18,11 @@ The steps below show how to request the Wazuh agent key for different operating Linux/Unix and macOS ^^^^^^^^^^^^^^^^^^^^ -#. Generate a JWT for authenticating to the Wazuh server API by making a curl request. The default Wazuh server API credentials are ``wazuh:wazuh``. Replace ```` with the Wazuh manager IP address or FQDN (Fully Qualified Domain Name): +#. Generate a JWT for authenticating to the Wazuh server API by making a curl request. The default Wazuh server API credentials are ``wazuh:wazuh``. Replace ```` with the Wazuh manager IP address or FQDN (Fully Qualified Domain Name): .. code-block:: console - # TOKEN=$(curl -u : -k -X POST "https://:55000/security/user/authenticate?raw=true") + # TOKEN=$(curl -u : -k -X POST "https://:55000/security/user/authenticate?raw=true") Run the command ``echo $TOKEN`` to confirm that the token was successfully generated: @@ -45,7 +45,7 @@ Linux/Unix and macOS .. code-block:: console - # curl -k -X POST -d '{"name":""}' "https://:55000/agents?pretty=true" -H "Content-Type:application/json" -H "Authorization: Bearer $TOKEN" + # curl -k -X POST -d '{"name":""}' "https://:55000/agents?pretty=true" -H "Content-Type:application/json" -H "Authorization: Bearer $TOKEN" The output with the key looks like this: @@ -99,11 +99,11 @@ Follow these steps to send Wazuh agent enrollment requests from a Windows endpoi # $base64AuthInfo=[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f “”, “”))) - Then, request the JWT. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager: + Then, request the JWT. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager: .. code-block:: pwsh-session - # Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method POST -Uri https://:55000/security/user/authenticate | Select-Object -Expand Content + # Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method POST -Uri https://:55000/security/user/authenticate | Select-Object -Expand Content .. code-block:: none :class: output @@ -130,11 +130,11 @@ Follow these steps to send Wazuh agent enrollment requests from a Windows endpoi These environment variables will be used in subsequent requests made to the Wazuh manager. -#. To request the client key and agent ID, make a web request with the environment variables created. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager. +#. To request the client key and agent ID, make a web request with the environment variables created. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager. .. code-block:: pwsh-session - # Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Bearer {0}" -f $TOKEN)} -Method POST -ContentType "application/json" -Uri https://:55000/agents -Body $AgentName + # Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Bearer {0}" -f $TOKEN)} -Method POST -ContentType "application/json" -Uri https://:55000/agents -Body $AgentName The output should look like this: diff --git a/source/user-manual/agent/agent-enrollment/security-options/agent-identity-verification.rst b/source/user-manual/agent/agent-enrollment/security-options/agent-identity-verification.rst index e705ec9da3..cc3266faf3 100644 --- a/source/user-manual/agent/agent-enrollment/security-options/agent-identity-verification.rst +++ b/source/user-manual/agent/agent-enrollment/security-options/agent-identity-verification.rst @@ -51,7 +51,7 @@ Wazuh server configuration .. code-block:: console - # openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -subj '/C=US/CN=' + # openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -subj '/C=US/CN=' Where: @@ -107,7 +107,7 @@ Follow these steps to enroll a Linux/Unix endpoint by using certificates for age -
+
//sslagent.cert @@ -151,7 +151,7 @@ The Wazuh agent installation directory depends on the architecture of the host. -
WAZUH_MANAGER_IP
+
//sslagent.cert @@ -202,7 +202,7 @@ Follow these steps to enroll a macOS endpoint by using certificates for Wazuh ag -
+
//sslagent.cert diff --git a/source/user-manual/agent/agent-enrollment/security-options/manager-identity-verification.rst b/source/user-manual/agent/agent-enrollment/security-options/manager-identity-verification.rst index 7c8981127c..92c49e8fa9 100644 --- a/source/user-manual/agent/agent-enrollment/security-options/manager-identity-verification.rst +++ b/source/user-manual/agent/agent-enrollment/security-options/manager-identity-verification.rst @@ -38,7 +38,7 @@ Wazuh server configuration #. Generate an SSL certificate on the Wazuh server signed by the certificate authority. The steps to generate an SSL certificate for the Wazuh manager are as follows: - Create a certificate request configuration file ``req.conf`` on the Wazuh server. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager where the Wazuh agents will be enrolled. The contents of the file can be as follows: + Create a certificate request configuration file ``req.conf`` on the Wazuh server. Replace ```` with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager where the Wazuh agents will be enrolled. The contents of the file can be as follows: .. code-block:: ini :emphasize-lines: 7 @@ -49,7 +49,7 @@ Wazuh server configuration prompt = no [req_distinguished_name] C = US - CN = + CN = [req_ext] subjectAltName = @alt_names [alt_names] @@ -118,7 +118,7 @@ Follow the steps below to enroll a Linux/Unix endpoint by using certificates to -
+
... ... @@ -165,7 +165,7 @@ The Wazuh agent installation directory depends on the architecture of the host. -
+
//rootCA.pem @@ -214,7 +214,7 @@ Follow the steps below to enroll a macOS endpoint by using certificates to verif -
+
... ... diff --git a/source/user-manual/agent/agent-enrollment/security-options/using-password-authentication.rst b/source/user-manual/agent/agent-enrollment/security-options/using-password-authentication.rst index 9cc16661f2..75d6d0a924 100644 --- a/source/user-manual/agent/agent-enrollment/security-options/using-password-authentication.rst +++ b/source/user-manual/agent/agent-enrollment/security-options/using-password-authentication.rst @@ -111,14 +111,14 @@ Follow these steps to enroll a Linux/Unix endpoint with password authentication: -#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section of the Wazuh agent configuration file ``/var/ossec/etc/ossec.conf``. Replace ```` with the Wazuh manager IP address or FQDN: +#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section of the Wazuh agent configuration file ``/var/ossec/etc/ossec.conf``. Replace ```` with the Wazuh manager IP address or FQDN: .. code-block:: xml :emphasize-lines: 3 -
+
... @@ -173,14 +173,14 @@ The Wazuh agent installation directory depends on the host's architecture. -#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section of the agent configuration file in ``C:\Program Files (x86)\ossec-agent\ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. +#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the ``
`` section of the agent configuration file in ``C:\Program Files (x86)\ossec-agent\ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. .. code-block:: xml :emphasize-lines: 3 -
+
... @@ -244,14 +244,14 @@ Follow the steps below to enroll a macOS endpoint with password authentication: -#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the agent configuration file in ``/Library/Ossec/etc/ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. +#. Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the agent configuration file in ``/Library/Ossec/etc/ossec.conf``. Replace ```` with the IP address or FQDN of the Wazuh manager. .. code-block:: xml :emphasize-lines: 3 -
+
... diff --git a/source/user-manual/agent/agent-enrollment/troubleshooting.rst b/source/user-manual/agent/agent-enrollment/troubleshooting.rst index da1fce4c15..bb67b47ce2 100644 --- a/source/user-manual/agent/agent-enrollment/troubleshooting.rst +++ b/source/user-manual/agent/agent-enrollment/troubleshooting.rst @@ -35,27 +35,27 @@ The following default ports on the Wazuh manager should be opened: - 1515/TCP for enrollment via agent configuration. - 55000/TCP for enrollment via Wazuh server API. -On Linux and macOS systems (with netcat installed), open a terminal and run the following command. Replace ```` with your Wazuh manager IP address or FQDN (Fully Qualified Domain Name). +On Linux and macOS systems (with netcat installed), open a terminal and run the following command. Replace ```` with your Wazuh manager IP address or FQDN (Fully Qualified Domain Name). .. code-block:: console - # nc -zv 1514 1515 55000 + # nc -zv 1514 1515 55000 If there is connectivity, the output should be a connection success message: .. code-block:: none - Connection to port 1514 [tcp] succeeded! - Connection to port 1515 [tcp] succeeded! - Connection to port 55000 [tcp] succeeded! + Connection to port 1514 [tcp] succeeded! + Connection to port 1515 [tcp] succeeded! + Connection to port 55000 [tcp] succeeded! On Windows, open a PowerShell terminal and run the following command: .. code-block:: pwsh-session - # (new-object Net.Sockets.TcpClient).Connect("", 1514) - # (new-object Net.Sockets.TcpClient).Connect("", 1515) - # (new-object Net.Sockets.TcpClient).Connect("", 55000) + # (new-object Net.Sockets.TcpClient).Connect("", 1514) + # (new-object Net.Sockets.TcpClient).Connect("", 1515) + # (new-object Net.Sockets.TcpClient).Connect("", 55000) If there is connectivity, there is no output. Otherwise, an error is shown: diff --git a/source/user-manual/agent/agent-management/agent-connection.rst b/source/user-manual/agent/agent-management/agent-connection.rst index 65e202dd40..0bbbb53ea5 100644 --- a/source/user-manual/agent/agent-management/agent-connection.rst +++ b/source/user-manual/agent/agent-management/agent-connection.rst @@ -236,11 +236,11 @@ For the other capabilities of the ``/var/ossec/bin/agent_groups`` tool, refer to Using the :api-ref:`GET /agents ` Wazuh server API endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Run the command below on the Wazuh server or any endpoint that has connectivity with the Wazuh server. Replace ```` with the IP address or FQDN of the Wazuh server. +Run the command below on the Wazuh server or any endpoint that has connectivity with the Wazuh server. Replace ```` with the IP address or FQDN of the Wazuh server. .. code-block:: console - # curl -k -X GET "https://:55000/agents?agents_list=001&select=group_config_status&pretty=true" -H "Authorization: Bearer $TOKEN" + # curl -k -X GET "https://:55000/agents?agents_list=001&select=group_config_status&pretty=true" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output diff --git a/source/user-manual/agent/agent-management/grouping-agents.rst b/source/user-manual/agent/agent-management/grouping-agents.rst index c3bf87cf7c..fd2eca8695 100644 --- a/source/user-manual/agent/agent-management/grouping-agents.rst +++ b/source/user-manual/agent/agent-management/grouping-agents.rst @@ -37,7 +37,7 @@ Below are the steps to assign agents to a group with a specific configuration: .. code-block:: console - # curl -k -X PUT "https://:55000/agents/002/group/dbms?pretty=true" -H "Authorization: Bearer $TOKEN" + # curl -k -X PUT "https://:55000/agents/002/group/dbms?pretty=true" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output @@ -75,7 +75,7 @@ Below are the steps to assign agents to a group with a specific configuration: .. code-block:: console - # curl -k -X GET "https://:55000/groups/dbms/agents?pretty=true&select=id,name" -H "Authorization: Bearer $TOKEN" + # curl -k -X GET "https://:55000/groups/dbms/agents?pretty=true&select=id,name" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output @@ -150,7 +150,7 @@ In this example, agent ``001`` has been added to the ``webserver`` and ``apache` .. code-block:: console - # curl -k -X PUT "https://:55000/agents/001/group/webserver?pretty=true" -H "Authorization: Bearer $TOKEN" + # curl -k -X PUT "https://:55000/agents/001/group/webserver?pretty=true" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output @@ -168,7 +168,7 @@ In this example, agent ``001`` has been added to the ``webserver`` and ``apache` .. code-block:: console - # curl -k -X PUT "https://:55000/agents/001/group/apache?pretty=true" -H "Authorization: Bearer $TOKEN" + # curl -k -X PUT "https://:55000/agents/001/group/apache?pretty=true" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output @@ -188,7 +188,7 @@ Following this, we can query for groups to which a Wazuh agent belongs using the .. code-block:: console - # curl -k -X GET "https://:55000/agents?pretty=true&agents_list=001&select=group" -H "Authorization: Bearer $TOKEN" + # curl -k -X GET "https://:55000/agents?pretty=true&agents_list=001&select=group" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output diff --git a/source/user-manual/agent/agent-management/listing/listing.rst b/source/user-manual/agent/agent-management/listing/listing.rst index 3b8c905fc7..982471bc0f 100644 --- a/source/user-manual/agent/agent-management/listing/listing.rst +++ b/source/user-manual/agent/agent-management/listing/listing.rst @@ -10,7 +10,7 @@ The :api-ref:`GET /agents :55000/agents?pretty=true&sort=-ip,name" -H "Authorization: Bearer $TOKEN" + # curl -k -X GET "https://:55000/agents?pretty=true&sort=-ip,name" -H "Authorization: Bearer $TOKEN" .. code-block:: json :class: output diff --git a/source/user-manual/agent/agent-management/remote-upgrading/upgrading-agent.rst b/source/user-manual/agent/agent-management/remote-upgrading/upgrading-agent.rst index f9d88ff6df..5c6004c7a1 100644 --- a/source/user-manual/agent/agent-management/remote-upgrading/upgrading-agent.rst +++ b/source/user-manual/agent/agent-management/remote-upgrading/upgrading-agent.rst @@ -75,11 +75,11 @@ To upgrade agents using the command line, use the :doc:`/var/ossec/bin/agent_upg Using the RESTful API ---------------------- -#. List all outdated agents using endpoint :api-ref:`GET /agents/outdated `. Replace ```` with the IP address or FQDN of the Wazuh server: +#. List all outdated agents using endpoint :api-ref:`GET /agents/outdated `. Replace ```` with the IP address or FQDN of the Wazuh server: .. code-block:: console - # curl -k -X GET "https://:55000/agents/outdated?pretty=true" -H "Authorization: Bearer $TOKEN" + # curl -k -X GET "https://:55000/agents/outdated?pretty=true" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output @@ -99,11 +99,11 @@ Using the RESTful API "error": 0, } -#. Upgrade the Wazuh agent using endpoint :api-ref:`PUT /agents/upgrade ` (here, we upgrade agents with ID *002* and *003*). Replace ```` with the IP address or FQDN of the Wazuh server: +#. Upgrade the Wazuh agent using endpoint :api-ref:`PUT /agents/upgrade ` (here, we upgrade agents with ID *002* and *003*). Replace ```` with the IP address or FQDN of the Wazuh server: .. code-block:: console - # curl -k -X PUT "https://:55000/agents/upgrade?agents_list=002,003&pretty=true" -H "Authorization: Bearer $TOKEN" + # curl -k -X PUT "https://:55000/agents/upgrade?agents_list=002,003&pretty=true" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output @@ -134,11 +134,11 @@ Using the RESTful API This recommendation is based on testing with a Wazuh manager on a server with a 2.5 GHz AMD EPYC 7000 series processor and 4 GiB memory. Using an agent list with 3000 agents or fewer on a system with similar or better specifications guarantees a response before the API timeout occurs. -#. Check the upgrade results using endpoint :api-ref:`GET /agents/upgrade_result `. Replace ```` with the IP address or FQDN of the Wazuh server: +#. Check the upgrade results using endpoint :api-ref:`GET /agents/upgrade_result `. Replace ```` with the IP address or FQDN of the Wazuh server: .. code-block:: console - # curl -k -X GET "https://:55000/agents/upgrade_result?agents_list=002,003&pretty=true" -H "Authorization: Bearer $TOKEN" + # curl -k -X GET "https://:55000/agents/upgrade_result?agents_list=002,003&pretty=true" -H "Authorization: Bearer $TOKEN" .. code-block:: none :class: output @@ -181,7 +181,7 @@ Using the RESTful API .. code-block:: console - # curl -k -X GET "https://:55000/agents?agents_list=002,003&pretty=true&select=version" -H "Authorization: Bearer $TOKEN" + # curl -k -X GET "https://:55000/agents?agents_list=002,003&pretty=true&select=version" -H "Authorization: Bearer $TOKEN" .. code-block:: json :class: output diff --git a/source/user-manual/agent/agent-management/remove-agents/restful-api-remove.rst b/source/user-manual/agent/agent-management/remove-agents/restful-api-remove.rst index f648b57b04..9cdd571f6f 100644 --- a/source/user-manual/agent/agent-management/remove-agents/restful-api-remove.rst +++ b/source/user-manual/agent/agent-management/remove-agents/restful-api-remove.rst @@ -8,11 +8,11 @@ Remove agents using the Wazuh server API This section includes examples of using the :api-ref:`DELETE /agents ` request to delete a list of agents or agents disconnected for a given period. This action is performed on the Wazuh server or on an authorized endpoint. -The examples use an :ref:`authentication token `. To get your token, replace ``:`` with your Wazuh server API credentials, ```` with the Wazuh manager IP address or FQDN (Fully Qualified Domain Name), and run the following command: +The examples use an :ref:`authentication token `. To get your token, replace ``:`` with your Wazuh server API credentials, ```` with the Wazuh manager IP address or FQDN (Fully Qualified Domain Name), and run the following command: .. code-block:: console - # TOKEN=$(curl -u : -k -X GET "https://:55000/security/user/authenticate?raw=true") + # TOKEN=$(curl -u : -k -X GET "https://:55000/security/user/authenticate?raw=true") .. note:: @@ -25,9 +25,9 @@ You can remove specific Wazuh agents using a list. Use the parameter ``agents_li .. code-block:: console - # curl -k -X DELETE "https://:55000/agents?pretty=true&older_than=0s&agents_list=005,006,007&status=all" -H "Authorization: Bearer $TOKEN" + # curl -k -X DELETE "https://:55000/agents?pretty=true&older_than=0s&agents_list=005,006,007&status=all" -H "Authorization: Bearer $TOKEN" -Replace ```` with the IP address or FQDN of the Wazuh server. +Replace ```` with the IP address or FQDN of the Wazuh server. .. code-block:: json :class: output @@ -56,9 +56,9 @@ You can remove Wazuh agents that never connected or agents that have been discon .. code-block:: console - # curl -k -X DELETE "https://:55000/agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected" -H "Authorization: Bearer $TOKEN" + # curl -k -X DELETE "https://:55000/agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected" -H "Authorization: Bearer $TOKEN" -Replace ```` with the IP address or FQDN of the Wazuh server. +Replace ```` with the IP address or FQDN of the Wazuh server. .. code-block:: json :class: output diff --git a/source/user-manual/api/getting-started.rst b/source/user-manual/api/getting-started.rst index 3878bf7d38..a0dcfc513d 100644 --- a/source/user-manual/api/getting-started.rst +++ b/source/user-manual/api/getting-started.rst @@ -309,18 +309,18 @@ A standard Wazuh server API request consists of three essential components: the The cURL command for each request contains the following fields: -+-------------------------------------------------+----------------------------------------------------------------------------------------------------+ -| **Field** | **Description** | -+=================================================+====================================================================================================+ -| ``-X GET/POST/PUT/DELETE`` | Specify a request method to use when communicating with the HTTP server. | -+-------------------------------------------------+----------------------------------------------------------------------------------------------------+ -| ``http://:55000/`` | The API URL to use. Specify ``http`` or ``https`` depending on whether SSL is activated | -| ``https://:55000/`` | in the API or not. | -+-------------------------------------------------+----------------------------------------------------------------------------------------------------+ -| ``-H "Authorization: Bearer "`` | Include an extra header in the request to specify the JWT. | -+-------------------------------------------------+----------------------------------------------------------------------------------------------------+ -| ``-k`` | Suppress SSL certificate errors (only if you use the default self-signed certificates). | -+-------------------------------------------------+----------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------+----------------------------------------------------------------------------------------------------+ +| **Field** | **Description** | ++=========================================================+====================================================================================================+ +| ``-X GET/POST/PUT/DELETE`` | Specify a request method to use when communicating with the HTTP server. | ++---------------------------------------------------------+----------------------------------------------------------------------------------------------------+ +| ``http://:55000/`` | The API URL to use. Specify ``http`` or ``https`` depending on whether SSL is activated | +| ``https://:55000/`` | in the API or not. | ++---------------------------------------------------------+----------------------------------------------------------------------------------------------------+ +| ``-H "Authorization: Bearer "`` | Include an extra header in the request to specify the JWT. | ++---------------------------------------------------------+----------------------------------------------------------------------------------------------------+ +| ``-k`` | Suppress SSL certificate errors (only if you use the default self-signed certificates). | ++---------------------------------------------------------+----------------------------------------------------------------------------------------------------+ All responses are in JSON format, and most of them follow this structure: @@ -345,7 +345,7 @@ All responses are in JSON format, and most of them follow this structure: - All responses include an HTTP status code: 2xx (success), 4xx (client error), 5xx (server error), etc. - All requests (except ``POST /security/user/authenticate`` and ``POST /security/user/authenticate/run_as``) accept the ``pretty`` parameter to convert the JSON response to a more human-readable format. - The Wazuh server API stores logs in the ``api.log`` or ``api.json`` files, depending on the chosen log format. These log files are located at ``/var/ossec/logs/`` on the Wazuh server. You can change the verbosity level in the :ref:`Wazuh API configuration file `. -- The Wazuh API logs are rotated based on time by default. Rotation only occurs after adding a new entry to the log. For instance, time-based rotation triggers when a new entry is added on a different day, not necessarily every midnight. Rotated logs are stored in ``/var/ossec/logs/api///`` and compressed using ``gzip``. +- The Wazuh API logs are rotated based on time by default. Rotation only occurs after adding a new entry to the log. For instance, time-based rotation triggers when a new entry is added on a different day, not necessarily every midnight. Rotated logs are stored in ``/var/ossec/logs/api///`` and compressed using ``gzip``. - All Wazuh server API requests will be aborted if no response is received after the time duration defined in the ``request_timeout`` field of the server API configuration file ``/var/ossec/api/configuration/api.yaml``. You can use the ``wait_for_complete`` parameter to disable this timeout, which is particularly useful for calls that might exceed the expected duration, such as :api-ref:`PUT /agents/upgrade `. .. note:: @@ -597,7 +597,7 @@ Save the following Python script as ``get_agent_keep_alive.py``: endpoint = '/agents?select=lastKeepAlive&select=id&status=disconnected' protocol = 'https' - host = '' + host = '' port = '' user = '' password = '' @@ -636,7 +636,7 @@ Save the following Python script as ``get_agent_keep_alive.py``: Replace the following variables below: -- ```` with your Wazuh server IP address. +- ```` with your Wazuh server IP address. - ```` with the Wazuh server API port number (port 5500 by default). - ```` and ```` with the correct credentials. @@ -718,7 +718,7 @@ Save the following PowerShell script as ``get_agent_keep_alive.ps1``: $method = "get" $protocol = "https" - $host_name = "" + $host_name = "" $port = "" $username = "" $password = "" @@ -749,7 +749,7 @@ Save the following PowerShell script as ``get_agent_keep_alive.ps1``: Replace the following variables below: -- ```` with your Wazuh server IP address. +- ```` with your Wazuh server IP address. - ```` with the Wazuh server API port number (port 5500 by default). - ```` and ```` with the correct credentials. diff --git a/source/user-manual/index.rst b/source/user-manual/index.rst index c572a142cd..c387252d73 100644 --- a/source/user-manual/index.rst +++ b/source/user-manual/index.rst @@ -17,7 +17,7 @@ Welcome to the Wazuh user manual. Use it as your reference library once your bas wazuh-server-cluster api/index wazuh-indexer/index - wazuh-indexer-cluster + wazuh-indexer-cluster/index wazuh-dashboard/index agent/index ruleset/index diff --git a/source/user-manual/manager/alert-management.rst b/source/user-manual/manager/alert-management.rst index 771d9d2f45..5cac698d53 100644 --- a/source/user-manual/manager/alert-management.rst +++ b/source/user-manual/manager/alert-management.rst @@ -574,10 +574,10 @@ According to your database system, create a new database, set up the database us mysql> CREATE DATABASE Alerts_DB; Query OK, 1 row affected (2.34 sec) - mysql> CREATE USER ''@'' IDENTIFIED BY ''; + mysql> CREATE USER ''@'' IDENTIFIED BY ''; Query OK, 0 rows affected (0.00 sec) - mysql> GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to ''@''; + mysql> GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to ''@''; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; @@ -588,7 +588,7 @@ According to your database system, create a new database, set up the database us Replace the following variables in the commands above: - ```` with the user you want to create for the database server. - - ```` with the IP address of the database server. + - ```` with the IP address of the database server. - ```` with the user password to access the database server. .. code-block:: console @@ -622,7 +622,7 @@ Perform the following steps to configure the Wazuh manager to send alerts and ot :emphasize-lines: 2-4 - + Alerts_DB @@ -635,7 +635,7 @@ Perform the following steps to configure the Wazuh manager to send alerts and ot :emphasize-lines: 2-4 - + Alerts_DB @@ -644,7 +644,7 @@ Perform the following steps to configure the Wazuh manager to send alerts and ot Where: - - ```` specifies the IP address of the database server. Replace ```` the IP address of the database server. + - ```` specifies the IP address of the database server. Replace ```` the IP address of the database server. - ```` specifies the user to access the database. Replace ```` with the database user created above. - ```` specifies the user password to access the database. Replace ```` with the user password created above. - ```` specifies the name of the database in which to store the alerts. For example, ``Alerts_DB`` as specified in the configuration above. diff --git a/source/user-manual/reference/ossec-conf/localfile.rst b/source/user-manual/reference/ossec-conf/localfile.rst index 4f047b1c27..0d6d81a104 100644 --- a/source/user-manual/reference/ossec-conf/localfile.rst +++ b/source/user-manual/reference/ossec-conf/localfile.rst @@ -439,7 +439,7 @@ The list of available parameters is: +------------------------+-----------------------------------------------------------------------+ | ``timestamp`` | Current timestamp (when the log is sent), in RFC3164 format. | +------------------------+-----------------------------------------------------------------------+ -| ``timestamp `` | Custom timestamp, in ``strftime`` string format. | +| ``timestamp `` | Custom timestamp, in ``strftime`` string format. | +------------------------+-----------------------------------------------------------------------+ | ``hostname`` | System's host name. | +------------------------+-----------------------------------------------------------------------+ diff --git a/source/user-manual/reference/tools/wazuh-regex.rst b/source/user-manual/reference/tools/wazuh-regex.rst index 4c9b2e12dc..e6e904281c 100644 --- a/source/user-manual/reference/tools/wazuh-regex.rst +++ b/source/user-manual/reference/tools/wazuh-regex.rst @@ -14,7 +14,7 @@ The pattern should be enclosed in single quotes to help prevent any unintended i The syntax for wazuh-regex is as follows: -``/var/ossec/bin/wazuh-regex ''`` +``/var/ossec/bin/wazuh-regex ''`` It then reads strings from stdin and outputs matches to stdout. diff --git a/source/user-manual/user-administration/ldap.rst b/source/user-manual/user-administration/ldap.rst index 6d37569a8a..e12234104c 100644 --- a/source/user-manual/user-administration/ldap.rst +++ b/source/user-manual/user-administration/ldap.rst @@ -243,7 +243,7 @@ Follow these steps to create a new role mapping and grant administrator permissi url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: @@ -309,7 +309,7 @@ Setup read-only role url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/password-management.rst b/source/user-manual/user-administration/password-management.rst index d51a6b7764..defccd50ae 100644 --- a/source/user-manual/user-administration/password-management.rst +++ b/source/user-manual/user-administration/password-management.rst @@ -245,7 +245,7 @@ Follow the instructions below to change the passwords for all the Wazuh indexer url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false #. Restart the Wazuh dashboard to apply the changes. diff --git a/source/user-manual/user-administration/single-sign-on/administrator/google.rst b/source/user-manual/user-administration/single-sign-on/administrator/google.rst index 87ae2e9760..2ef31784a1 100644 --- a/source/user-manual/user-administration/single-sign-on/administrator/google.rst +++ b/source/user-manual/user-administration/single-sign-on/administrator/google.rst @@ -259,7 +259,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/administrator/jumpcloud.rst b/source/user-manual/user-administration/single-sign-on/administrator/jumpcloud.rst index 25a28e8cdf..343ca2a984 100644 --- a/source/user-manual/user-administration/single-sign-on/administrator/jumpcloud.rst +++ b/source/user-manual/user-administration/single-sign-on/administrator/jumpcloud.rst @@ -292,7 +292,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/administrator/keycloak.rst b/source/user-manual/user-administration/single-sign-on/administrator/keycloak.rst index 5a2ccde1e1..85151b6ccf 100644 --- a/source/user-manual/user-administration/single-sign-on/administrator/keycloak.rst +++ b/source/user-manual/user-administration/single-sign-on/administrator/keycloak.rst @@ -369,7 +369,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/administrator/microsoft-entra-id.rst b/source/user-manual/user-administration/single-sign-on/administrator/microsoft-entra-id.rst index c15a9b18d9..656abbf39c 100644 --- a/source/user-manual/user-administration/single-sign-on/administrator/microsoft-entra-id.rst +++ b/source/user-manual/user-administration/single-sign-on/administrator/microsoft-entra-id.rst @@ -286,7 +286,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/administrator/okta.rst b/source/user-manual/user-administration/single-sign-on/administrator/okta.rst index 29ad270f17..ef79d27fbd 100644 --- a/source/user-manual/user-administration/single-sign-on/administrator/okta.rst +++ b/source/user-manual/user-administration/single-sign-on/administrator/okta.rst @@ -287,7 +287,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/administrator/onelogin.rst b/source/user-manual/user-administration/single-sign-on/administrator/onelogin.rst index 560fc65ab5..e3992b49e7 100644 --- a/source/user-manual/user-administration/single-sign-on/administrator/onelogin.rst +++ b/source/user-manual/user-administration/single-sign-on/administrator/onelogin.rst @@ -288,7 +288,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/administrator/pingone.rst b/source/user-manual/user-administration/single-sign-on/administrator/pingone.rst index 6e6dc2c060..108f9c6fba 100644 --- a/source/user-manual/user-administration/single-sign-on/administrator/pingone.rst +++ b/source/user-manual/user-administration/single-sign-on/administrator/pingone.rst @@ -264,7 +264,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/read-only/google.rst b/source/user-manual/user-administration/single-sign-on/read-only/google.rst index c6bb2a3a35..978d7ef89c 100644 --- a/source/user-manual/user-administration/single-sign-on/read-only/google.rst +++ b/source/user-manual/user-administration/single-sign-on/read-only/google.rst @@ -230,7 +230,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/read-only/jumpcloud.rst b/source/user-manual/user-administration/single-sign-on/read-only/jumpcloud.rst index 089c1a0d24..1997e8eb60 100644 --- a/source/user-manual/user-administration/single-sign-on/read-only/jumpcloud.rst +++ b/source/user-manual/user-administration/single-sign-on/read-only/jumpcloud.rst @@ -265,7 +265,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/read-only/keycloak.rst b/source/user-manual/user-administration/single-sign-on/read-only/keycloak.rst index 9b244fa7fd..e03750ad68 100644 --- a/source/user-manual/user-administration/single-sign-on/read-only/keycloak.rst +++ b/source/user-manual/user-administration/single-sign-on/read-only/keycloak.rst @@ -340,7 +340,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/read-only/microsoft-entra-id.rst b/source/user-manual/user-administration/single-sign-on/read-only/microsoft-entra-id.rst index 9213a06038..f05ad8bc5f 100644 --- a/source/user-manual/user-administration/single-sign-on/read-only/microsoft-entra-id.rst +++ b/source/user-manual/user-administration/single-sign-on/read-only/microsoft-entra-id.rst @@ -242,7 +242,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/read-only/okta.rst b/source/user-manual/user-administration/single-sign-on/read-only/okta.rst index c80d5b58cd..e600282d81 100644 --- a/source/user-manual/user-administration/single-sign-on/read-only/okta.rst +++ b/source/user-manual/user-administration/single-sign-on/read-only/okta.rst @@ -257,7 +257,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/read-only/onelogin.rst b/source/user-manual/user-administration/single-sign-on/read-only/onelogin.rst index 91c6e82968..dc6c1fc47e 100644 --- a/source/user-manual/user-administration/single-sign-on/read-only/onelogin.rst +++ b/source/user-manual/user-administration/single-sign-on/read-only/onelogin.rst @@ -255,7 +255,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/user-administration/single-sign-on/read-only/pingone.rst b/source/user-manual/user-administration/single-sign-on/read-only/pingone.rst index 922736cebe..e403844289 100644 --- a/source/user-manual/user-administration/single-sign-on/read-only/pingone.rst +++ b/source/user-manual/user-administration/single-sign-on/read-only/pingone.rst @@ -233,7 +233,7 @@ Wazuh dashboard configuration url: https://127.0.0.1 port: 55000 username: wazuh-wui - password: "" + password: "" run_as: false If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps: diff --git a/source/user-manual/wazuh-dashboard/custom-branding.rst b/source/user-manual/wazuh-dashboard/custom-branding.rst index 35f96d7a2c..f9b0f11d3e 100644 --- a/source/user-manual/wazuh-dashboard/custom-branding.rst +++ b/source/user-manual/wazuh-dashboard/custom-branding.rst @@ -138,11 +138,11 @@ The following settings correspond to the custom branding feature. Edit the defau +================================+===========================================================================================================================================================================================================================+===============+=====================+=========================================+ | customization.enabled | Enables and disables custom branding of the Wazuh dashboard and PDF reports. | true | true, false | | +--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+---------------------+-----------------------------------------+ -| customization.logo.app | This is the image to be used as the logo in the main menu of the Wazuh dashboard. It is saved as ``/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.app.``. | '' | jpeg, jpg, png, svg | 1 MB | +| customization.logo.app | This is the image to be used as the logo in the main menu of the Wazuh dashboard. It is saved as ``/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.app.``. | '' | jpeg, jpg, png, svg | 1 MB | +--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+---------------------+-----------------------------------------+ -| customization.logo.healthcheck | This is the image to be used as the health check logo. It is saved as ``/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.healthcheck.``. | '' | jpeg, jpg, png, svg | 1 MB | +| customization.logo.healthcheck | This is the image to be used as the health check logo. It is saved as ``/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.healthcheck.``. | '' | jpeg, jpg, png, svg | 1 MB | +--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+---------------------+-----------------------------------------+ -| customization.logo.reports | This is the image to be used as a logo in the PDF reports generated by the Wazuh dashboard. It is saved as ``/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.reports.``. | '' | jpeg, jpg, png | 1 MB | +| customization.logo.reports | This is the image to be used as a logo in the PDF reports generated by the Wazuh dashboard. It is saved as ``/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.reports.``. | '' | jpeg, jpg, png | 1 MB | +--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+---------------------+-----------------------------------------+ | customization.reports.header | Header of the PDF reports. To use an empty header, type a space " " in the field. If the field is empty, it uses the default header. | '' | Printable | 3 lines of 40 characters each | | | | | characters | | @@ -155,7 +155,7 @@ The following settings correspond to the custom branding feature. Edit the defau Please, take into consideration the following notes: - - The value of any ``customization.logo.*`` setting must follow the pattern ``custom/images/``.. + - The value of any ``customization.logo.*`` setting must follow the pattern ``custom/images/.``. - The path ``custom/images/`` included in every ``customization.logo.*`` setting is relative to the ``/plugins/wazuh/public/assets/`` folder. - Setting or modifying any ``customization.logo.*`` setting by hand is not recommended. Use the UI instead. - The in-file ``customization.logo.*`` settings are flagged for deprecation, and will be no longer supported in future releases. \ No newline at end of file diff --git a/source/user-manual/wazuh-dashboard/settings.rst b/source/user-manual/wazuh-dashboard/settings.rst index 6e42c6b46d..1888aea92b 100644 --- a/source/user-manual/wazuh-dashboard/settings.rst +++ b/source/user-manual/wazuh-dashboard/settings.rst @@ -70,10 +70,10 @@ Defines the list of APIs to connect with your Wazuh managers. hosts: - : - url: http(s):// - port: - username: - password: + url: http(s):// + port: + username: + password: .. note:: diff --git a/source/user-manual/wazuh-indexer-cluster.rst b/source/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.rst similarity index 74% rename from source/user-manual/wazuh-indexer-cluster.rst rename to source/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.rst index 7576082f07..197a8b5dc6 100644 --- a/source/user-manual/wazuh-indexer-cluster.rst +++ b/source/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.rst @@ -1,168 +1,10 @@ .. Copyright (C) 2015, Wazuh, Inc. .. meta:: - :description: This section provides information about the Wazuh indexer cluster. - -Wazuh indexer cluster -===================== - -This section provides the following information about the Wazuh indexer cluster: - -.. contents:: - :local: - :depth: 1 - :backlinks: none - -.. _certificates_deployment: - -Certificates deployment ------------------------ - -Wazuh uses certificates to establish trust and confidentiality between its central components - the Wazuh indexer, the Wazuh dashboard, and Filebeat. Certificates are deployed for new installation of Wazuh or during upscaling of Wazuh central components. The required certificates are: - -- **Root CA certificate**: The root CA (Certificate Authority) certificate acts as the foundation of trust for a security ecosystem. It is used to authenticate the identity of all nodes within the system and to sign other certificates, thereby establishing a chain of trust. -- **Node certificates**: Node certificates uniquely identify each node within the Wazuh cluster. They are used to encrypt and authenticate communications between the nodes. - - Each node certificate must include either the IP address or the DNS name of the node. This is important for the verification process during communications, ensuring that the data is indeed being sent to and received from trusted nodes. These certificates, signed by the root CA, ensure that any communication between the nodes is trusted and verified through this central authority. - -- **Admin certificate**: The admin certificate is a client certificate with special privileges. The Wazuh indexer uses it to perform management and security-related tasks such as initializing and managing the Wazuh indexer cluster, creating, modifying, and deleting users, as well as managing roles and permissions. It also helps ensure that only authorized commands are executed within the cluster. - -You can deploy certificates using two methods: - -.. contents:: - :local: - :depth: 1 - :backlinks: none - -Using the ``wazuh-certs-tool.sh`` script (default method) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The ``wazuh-certs-tool.sh`` script simplifies certificate generation for Wazuh central components and creates all the certificates required for installation. You need to create or edit the configuration file ``config.yml``. This file references the node details like node types and IP addresses or DNS names which are used to generate certificates for each of the nodes specified in it. A template could be downloaded from `our repository `__. These certificates are created with the following additional information: - -- ``C``: US -- ``L``: California -- ``O``: Wazuh -- ``OU``: Wazuh -- ``CN``: Name of the node - -Generating Wazuh indexer certificates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Follow the steps below to create Wazuh indexer certificates using the ``wazuh-certs-tool.sh`` script: - -#. Run the command below to download the `wazuh-certs-tool.sh `__ script in your installation directory: - - .. code-block:: console - - # wget https://packages.wazuh.com/|WAZUH_CURRENT_MINOR|/wazuh-certs-tool.sh - -#. Create a ``config.yml`` file with the following content. We specify only the details regarding the Wazuh indexer nodes as we are focusing on creating certificates for the Wazuh indexer. - - .. code-block:: yaml - :emphasize-lines: 5 - - nodes: - # Wazuh indexer nodes - indexer: - - name: node-1 - ip: "" - #- name: node-2 - # ip: "" - #- name: node-3 - # ip: "" - - Where: - - - ``name`` represents a unique node name. You can choose any. - - ``ip`` represents the IP address or DNS name of the node. - -#. Run the script to create the Wazuh indexer certificates: - - .. code-block:: console - - # bash wazuh-certs-tool.sh -A - - After deploying the certificates, a directory ``wazuh-certificates`` will be created in the installation directory with the following content: - - .. code-block:: none - - wazuh-certificates/ - ├── admin-key.pem - ├── admin.pem - ├── root-ca.key - ├── root-ca.pem - ├── node-1-key.pem - └── node-1.pem - - The files in this directory are as follows: - - - ``root-ca.pem`` and ``root-ca.key``: These files represent the root Certificate Authority (CA). The ``.pem`` file contains the public certificate, while the ``.key`` file holds the private key used for signing other certificates. - - .. note:: - - If you are deploying a complete Wazuh infrastructure and deploying certificates for the first time you need to conserve the root CA certificate. This will be used to create and sign certificates for the Wazuh server and Wazuh dashboard nodes. - - - ``admin.pem`` and ``admin-key.pem``: These files contain the public and private keys used by the Wazuh indexer to perform management and security-related tasks such as initializing the Wazuh indexer cluster, creating and managing users and roles. - - ``node-1.pem`` and ``node-1-key.pem``: The ``node-1.pem`` file contains the public key, which is distributed and trusted by other Wazuh components to authenticate the indexer node. Conversely, the ``node-1-key.pem`` file holds the private key, which is kept securely on the Wazuh indexer and used for authentication and encryption in communication with other Wazuh components. - - In a clustered environment comprising two or more Wazuh indexer nodes, unique pairs of public and private keys are generated for each node. These keys are specific to the node and are identified by the names defined in the ``name`` field of the ``config.yml`` file. These key pairs must then be transferred to their corresponding nodes. - -#. Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory ``/etc/wazuh-indexer/certs/`` as referenced in the file ``/etc/wazuh-indexer/opensearch.yml``. You should create the directory if it doesn’t exist. - - .. code-block:: console - - # mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem - # mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem - -Generating Wazuh indexer certificates using the pre-existing root CA -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Wazuh also gives the ability to create and sign the admin and node(s) certificates using a pre-existing root CA. It avoids having to recreate certificates for all the nodes. - -.. note:: - - You need to use a pre-existing root CA to create Wazuh indexer certificates: - - - If you already have a root CA after generating certificates for the :ref:`Wazuh server ` or :doc:`Wazuh dashboard ` nodes. - - If you need to re-install a Wazuh indexer node or add a new node to your Wazuh indexer cluster. - -#. Create a ``config.yml`` file. You must specify the details for only the Wazuh indexer node(s) you want to create certificates for, depending on the cases described in the note above. -#. Run the command below to create Wazuh indexer certificates from the ``config.yml`` file using the pre-existing root CA keys: - - .. code-block:: console - - # bash wazuh-certs-tool.sh -wi /path/to/root-ca.pem /path/to/root-ca.key - - Where: - - - The flag ``-wi`` indicates we are creating Wazuh indexer certificates. - - The file ``/path/to/root-ca.pem`` contains the root CA certificate. - - The file ``/path/to/root-ca.key`` contains the root CA key. - - After deploying the certificates, a directory ``wazuh-certificates`` will be created in the installation directory with content similar to the one below: - - .. code-block:: none - - wazuh-certificates/ - ├── admin-key.pem - ├── admin.pem - ├── node-1-key.pem - └── node-1.pem - -#. Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory ``/etc/wazuh-indexer/certs/`` as referenced in the file ``/etc/wazuh-indexer/opensearch.yml``. You should create the directory if it doesn’t exist. - - .. code-block:: console - - # mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem - # mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem - -Using custom certificates -^^^^^^^^^^^^^^^^^^^^^^^^^ - -Custom certificates can be created using tools like OpenSSL. You must create the root CA, node, and admin certificates described above. - + :description: This section covers adding Wazuh indexer nodes to increase capacity and resilience. + Adding Wazuh indexer nodes --------------------------- +========================== Adding a new node to the Wazuh indexer cluster can enhance the capacity and resilience of the security monitoring infrastructure. @@ -185,12 +27,12 @@ If you are unsure which method aligns with your infrastructure, we recommend rev You need root user privileges to execute the commands below. Certificates creation -^^^^^^^^^^^^^^^^^^^^^ +--------------------- Perform the outlined steps on your existing Wazuh indexer node to generate the certificates required for secure communication among the Wazuh central components. All-in-one deployment -~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^ We recommend creating entirely new certificates for your Wazuh indexer nodes. Perform the following steps to create new certificates. @@ -240,7 +82,7 @@ We recommend creating entirely new certificates for your Wazuh indexer nodes. Pe This will copy the certificates to the home directory of the logged-in user on the target system. You can change this to specify a path to your installation directory. Distributed deployment -~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^ We recommend you utilize pre-existing root CA keys to generate certificates for new nodes. @@ -337,12 +179,12 @@ Perform the steps below on one indexer node only. This will copy the certificates to the home directory of the logged-in user on the target system. You can change this to specify a path to your installation directory. Configuring existing components to connect with the new node -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +------------------------------------------------------------ In this section, we configure the Wazuh components of your existing deployment to connect and communicate with the new Wazuh indexer node. All-in-one deployment -~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^ #. Create a file, ``env_variables.sh``, in the ``/root`` directory of the existing node where you define your environment variables as follows: @@ -465,7 +307,7 @@ All-in-one deployment # service wazuh-dashboard restart Distributed deployment -~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^ #. Edit the indexer configuration file at ``/etc/wazuh-indexer/opensearch.yml`` to include the new node(s) as follows. Uncomment or add more lines, according to your ``/root/config.yml`` definitions. Create the ``discovery.seed_hosts`` section if it doesn’t exist: @@ -608,7 +450,7 @@ Distributed deployment # service wazuh-dashboard restart Wazuh indexer node(s) installation -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +---------------------------------- Once the certificates have been created and copied to the new node(s), you can now proceed with installing the Wazuh indexer node. Follow the steps below to install the new Wazuh indexer node(s). @@ -690,7 +532,7 @@ Once the certificates have been created and copied to the new node(s), you can n # apt-get -y install wazuh-indexer Configuring the Wazuh indexer -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Edit the ``/etc/wazuh-indexer/opensearch.yml`` configuration file and replace the following values: @@ -724,7 +566,7 @@ Edit the ``/etc/wazuh-indexer/opensearch.yml`` configuration file and replace th - "CN=,OU=Wazuh,O=Wazuh,L=California,C=US" Deploying certificates -~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^ Execute the following commands in the directory where the ``wazuh-certificates.tar`` file was copied to, replacing ```` with the name of the Wazuh indexer node you are configuring as defined in ``/root/config``.yml. For example, ``node-1``. This deploys the SSL certificates to encrypt communications between the Wazuh central components: @@ -749,7 +591,7 @@ Execute the following commands in the directory where the ``wazuh-certificates.t # rm -f ./wazuh-certificates.tar Starting the service -~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^ Run the following commands to start the Wazuh indexer service: @@ -780,7 +622,7 @@ Run the following commands to start the Wazuh indexer service: # service wazuh-indexer start Cluster initialization -^^^^^^^^^^^^^^^^^^^^^^ +---------------------- #. Run the Wazuh indexer ``indexer-security-init.sh`` script on any Wazuh indexer node to load the new certificate information and start the cluster: @@ -834,7 +676,7 @@ Cluster initialization version: 7.10.2 Testing the cluster -^^^^^^^^^^^^^^^^^^^ +------------------- After completing the above steps, you can proceed to test your cluster and ensure that the indexer node has been successfully added. There are two possible methods to do this: @@ -844,7 +686,7 @@ After completing the above steps, you can proceed to test your cluster and ensur :backlinks: none Using the securityadmin script -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``securityadmin`` script helps configure and manage the security settings of OpenSearch. The script lets you load, backup, restore, and migrate the security configuration files to the Wazuh indexer cluster. @@ -900,7 +742,7 @@ The output should be similar to the one below. It should show the number of Wazu Done with success Using the Wazuh indexer API -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can also get information about the number of nodes in the cluster by using the Wazuh indexer API. @@ -949,64 +791,3 @@ You can access the Wazuh dashboard with your credentials. After the above steps are completed, your new node(s) will now be part of your cluster and your infrastructure distributed. -Cluster management ------------------- - -Using the Wazuh indexer API -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Perform the following cluster management queries on the Wazuh dashboard console by navigating to **Indexer management** > **Dev Tools**. - -- Check the general Wazuh indexer cluster health: - - .. code-block:: none - - GET _cluster/health - -- To check cluster health based on awareness attribute, use the following: - - .. code-block:: none - - GET _cluster/health?level=awareness_attributes - -- To check the cluster health based on a specific index, use the following: - - .. code-block:: none - - GET _cluster/health/ - -- List all Wazuh indexer nodes and their roles: - - .. code-block:: none - - GET _cat/nodes - -- Check the Wazuh indexer node where an index is stored: - - .. code-block:: none - - GET _cat/shards/wazuh-alerts-*?v - -- Check ISM policy for an index pattern: - - .. code-block:: none - - GET _opendistro/_ism/explain/wazuh-alerts-* - -- Check statistics about the Wazuh indexer cluster: - - .. code-block:: none - - GET _cluster/stats/nodes/* - -- Check storage allocation. This can be used to determine if the Wazuh indexer node is full. If the indexer node is full, implement the :doc:`index lifecycle management ` to free up old indices. - - .. code-block:: none - - GET _cat/allocation?v&s=node - -- Check Wazuh indexer node attributes: - - .. code-block:: none - - GET _cat/nodeattrs?v&h=node,attr,value diff --git a/source/user-manual/wazuh-indexer-cluster/certificate-deployment.rst b/source/user-manual/wazuh-indexer-cluster/certificate-deployment.rst new file mode 100644 index 0000000000..900d5a4e84 --- /dev/null +++ b/source/user-manual/wazuh-indexer-cluster/certificate-deployment.rst @@ -0,0 +1,150 @@ +.. Copyright (C) 2015, Wazuh, Inc. + +.. meta:: + :description:: This section covers deploying certificates to secure communication between Wazuh components. + +Certificates deployment +======================= + +Wazuh uses certificates to establish trust and confidentiality between its central components - the Wazuh indexer, the Wazuh dashboard, and Filebeat. Certificates are deployed for new installation of Wazuh or during upscaling of Wazuh central components. The required certificates are: + +- **Root CA certificate**: The root CA (Certificate Authority) certificate acts as the foundation of trust for a security ecosystem. It is used to authenticate the identity of all nodes within the system and to sign other certificates, thereby establishing a chain of trust. +- **Node certificates**: Node certificates uniquely identify each node within the Wazuh cluster. They are used to encrypt and authenticate communications between the nodes. + + Each node certificate must include either the IP address or the DNS name of the node. This is important for the verification process during communications, ensuring that the data is indeed being sent to and received from trusted nodes. These certificates, signed by the root CA, ensure that any communication between the nodes is trusted and verified through this central authority. + +- **Admin certificate**: The admin certificate is a client certificate with special privileges. The Wazuh indexer uses it to perform management and security-related tasks such as initializing and managing the Wazuh indexer cluster, creating, modifying, and deleting users, as well as managing roles and permissions. It also helps ensure that only authorized commands are executed within the cluster. + +You can deploy certificates using two methods: + +.. contents:: + :local: + :depth: 1 + :backlinks: none + +Using the ``wazuh-certs-tool.sh`` script (default method) +--------------------------------------------------------- + +The ``wazuh-certs-tool.sh`` script simplifies certificate generation for Wazuh central components and creates all the certificates required for installation. You need to create or edit the configuration file ``config.yml``. This file references the node details like node types and IP addresses or DNS names which are used to generate certificates for each of the nodes specified in it. A template could be downloaded from `our repository `__. These certificates are created with the following additional information: + +- ``C``: US +- ``L``: California +- ``O``: Wazuh +- ``OU``: Wazuh +- ``CN``: Name of the node + +Generating Wazuh indexer certificates +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Follow the steps below to create Wazuh indexer certificates using the ``wazuh-certs-tool.sh`` script: + +#. Run the command below to download the `wazuh-certs-tool.sh `__ script in your installation directory: + + .. code-block:: console + + # wget https://packages.wazuh.com/|WAZUH_CURRENT_MINOR|/wazuh-certs-tool.sh + +#. Create a ``config.yml`` file with the following content. We specify only the details regarding the Wazuh indexer nodes as we are focusing on creating certificates for the Wazuh indexer. + + .. code-block:: yaml + :emphasize-lines: 5 + + nodes: + # Wazuh indexer nodes + indexer: + - name: node-1 + ip: "" + #- name: node-2 + # ip: "" + #- name: node-3 + # ip: "" + + Where: + + - ``name`` represents a unique node name. You can choose any. + - ``ip`` represents the IP address or DNS name of the node. + +#. Run the script to create the Wazuh indexer certificates: + + .. code-block:: console + + # bash wazuh-certs-tool.sh -A + + After deploying the certificates, a directory ``wazuh-certificates`` will be created in the installation directory with the following content: + + .. code-block:: none + + wazuh-certificates/ + ├── admin-key.pem + ├── admin.pem + ├── root-ca.key + ├── root-ca.pem + ├── node-1-key.pem + └── node-1.pem + + The files in this directory are as follows: + + - ``root-ca.pem`` and ``root-ca.key``: These files represent the root Certificate Authority (CA). The ``.pem`` file contains the public certificate, while the ``.key`` file holds the private key used for signing other certificates. + + .. note:: + + If you are deploying a complete Wazuh infrastructure and deploying certificates for the first time you need to conserve the root CA certificate. This will be used to create and sign certificates for the Wazuh server and Wazuh dashboard nodes. + + - ``admin.pem`` and ``admin-key.pem``: These files contain the public and private keys used by the Wazuh indexer to perform management and security-related tasks such as initializing the Wazuh indexer cluster, creating and managing users and roles. + - ``node-1.pem`` and ``node-1-key.pem``: The ``node-1.pem`` file contains the public key, which is distributed and trusted by other Wazuh components to authenticate the indexer node. Conversely, the ``node-1-key.pem`` file holds the private key, which is kept securely on the Wazuh indexer and used for authentication and encryption in communication with other Wazuh components. + + In a clustered environment comprising two or more Wazuh indexer nodes, unique pairs of public and private keys are generated for each node. These keys are specific to the node and are identified by the names defined in the ``name`` field of the ``config.yml`` file. These key pairs must then be transferred to their corresponding nodes. + +#. Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory ``/etc/wazuh-indexer/certs/`` as referenced in the file ``/etc/wazuh-indexer/opensearch.yml``. You should create the directory if it doesn’t exist. + + .. code-block:: console + + # mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem + # mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem + +Generating Wazuh indexer certificates using the pre-existing root CA +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Wazuh also gives the ability to create and sign the admin and node(s) certificates using a pre-existing root CA. It avoids having to recreate certificates for all the nodes. + +.. note:: + + You need to use a pre-existing root CA to create Wazuh indexer certificates: + + - If you already have a root CA after generating certificates for the :ref:`Wazuh server ` or :doc:`Wazuh dashboard ` nodes. + - If you need to re-install a Wazuh indexer node or add a new node to your Wazuh indexer cluster. + +#. Create a ``config.yml`` file. You must specify the details for only the Wazuh indexer node(s) you want to create certificates for, depending on the cases described in the note above. +#. Run the command below to create Wazuh indexer certificates from the ``config.yml`` file using the pre-existing root CA keys: + + .. code-block:: console + + # bash wazuh-certs-tool.sh -wi /path/to/root-ca.pem /path/to/root-ca.key + + Where: + + - The flag ``-wi`` indicates we are creating Wazuh indexer certificates. + - The file ``/path/to/root-ca.pem`` contains the root CA certificate. + - The file ``/path/to/root-ca.key`` contains the root CA key. + + After deploying the certificates, a directory ``wazuh-certificates`` will be created in the installation directory with content similar to the one below: + + .. code-block:: none + + wazuh-certificates/ + ├── admin-key.pem + ├── admin.pem + ├── node-1-key.pem + └── node-1.pem + +#. Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory ``/etc/wazuh-indexer/certs/`` as referenced in the file ``/etc/wazuh-indexer/opensearch.yml``. You should create the directory if it doesn’t exist. + + .. code-block:: console + + # mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem + # mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem + +Using custom certificates +------------------------- + +Custom certificates can be created using tools like OpenSSL. You must create the root CA, node, and admin certificates described above. diff --git a/source/user-manual/wazuh-indexer-cluster/cluster-management.rst b/source/user-manual/wazuh-indexer-cluster/cluster-management.rst new file mode 100644 index 0000000000..d654f2ac7e --- /dev/null +++ b/source/user-manual/wazuh-indexer-cluster/cluster-management.rst @@ -0,0 +1,66 @@ +.. Copyright (C) 2015, Wazuh, Inc. + +.. meta:: + :description: This section covers cluster management including health checks and node details. + +Cluster management +================== + +Using the Wazuh indexer API +--------------------------- + +Perform the following cluster management queries on the Wazuh dashboard console by navigating to **Indexer management** > **Dev Tools**. + +- Check the general Wazuh indexer cluster health: + + .. code-block:: none + + GET _cluster/health + +- To check cluster health based on awareness attribute, use the following: + + .. code-block:: none + + GET _cluster/health?level=awareness_attributes + +- To check the cluster health based on a specific index, use the following: + + .. code-block:: none + + GET _cluster/health/ + +- List all Wazuh indexer nodes and their roles: + + .. code-block:: none + + GET _cat/nodes + +- Check the Wazuh indexer node where an index is stored: + + .. code-block:: none + + GET _cat/shards/wazuh-alerts-*?v + +- Check ISM policy for an index pattern: + + .. code-block:: none + + GET _opendistro/_ism/explain/wazuh-alerts-* + +- Check statistics about the Wazuh indexer cluster: + + .. code-block:: none + + GET _cluster/stats/nodes/* + +- Check storage allocation. This can be used to determine if the Wazuh indexer node is full. If the indexer node is full, implement the :doc:`index lifecycle management ` to free up old indices. + + .. code-block:: none + + GET _cat/allocation?v&s=node + +- Check Wazuh indexer node attributes: + + .. code-block:: none + + GET _cat/nodeattrs?v&h=node,attr,value diff --git a/source/user-manual/wazuh-indexer/index-life-management.rst b/source/user-manual/wazuh-indexer-cluster/index-lifecycle-management.rst similarity index 100% rename from source/user-manual/wazuh-indexer/index-life-management.rst rename to source/user-manual/wazuh-indexer-cluster/index-lifecycle-management.rst diff --git a/source/user-manual/wazuh-indexer-cluster/index.rst b/source/user-manual/wazuh-indexer-cluster/index.rst new file mode 100644 index 0000000000..b4f9847fca --- /dev/null +++ b/source/user-manual/wazuh-indexer-cluster/index.rst @@ -0,0 +1,20 @@ +.. Copyright (C) 2015, Wazuh, Inc. + +.. meta:: + :description: This section provides information about the Wazuh indexer cluster. + +Wazuh indexer cluster +===================== + +The Wazuh indexer cluster consists of multiple Wazuh indexer nodes. Deploying the Wazuh indexer as a cluster helps to provide horizontal scalability, high availability, and improved performance. + +This section provides the following information about the Wazuh indexer cluster: + +.. toctree:: + :titlesonly: + + certificate-deployment + add-wazuh-indexer-nodes + wazuh-indexer-cluster-tuning + index-lifecycle-management + cluster-management \ No newline at end of file diff --git a/source/user-manual/wazuh-indexer-cluster/wazuh-indexer-cluster-tuning.rst b/source/user-manual/wazuh-indexer-cluster/wazuh-indexer-cluster-tuning.rst new file mode 100644 index 0000000000..b11c90a8ca --- /dev/null +++ b/source/user-manual/wazuh-indexer-cluster/wazuh-indexer-cluster-tuning.rst @@ -0,0 +1,146 @@ +.. Copyright (C) 2015, Wazuh, Inc. + +.. meta:: + :description: Learn how to change settings to optimize the Wazuh indexer cluster performance in this section of the documentation. + +Wazuh indexer cluster tuning +============================ + +This guide shows how to change settings to optimize the Wazuh indexer cluster performance. To change the Wazuh indexer password, see the :doc:`Password management ` section. + +.. contents:: + :local: + :depth: 1 + :backlinks: none + +Configure shard allocation awareness or forced awareness +-------------------------------------------------------- + +This is most applicable in cases where the Wazuh indexer nodes are spread across geographically dispersed zones. + +To configure awareness, add zone attributes to the ``/etc/wazuh-indexer/opensearch.yml`` file on the Wazuh indexer nodes for the different zones. + +For example: You have two zones named zone A and B. You will add the following configuration to the ``/etc/wazuh-indexer/opensearch.yml`` file on each Wazuh indexer node in zone A and B respectively: + +.. code-block:: yaml + + node.attr.zone: zoneA + +.. code-block:: yaml + + node.attr.zone: zoneB + +Allocation awareness is best used if storage on the Wazuh indexer nodes in zone A and zone B is less than 50% utilized. This allows for adequate storage capacity to allocate replicas in the zone. + +Forced awareness is an option if Wazuh indexer nodes in both zone A and B lack sufficient capacity to store all primary and replica shards. This ensures that if there's a zone failure, the Wazuh indexer won't overwhelm your remaining zone, preventing your cluster from being locked due to storage shortage. + +Choosing allocation awareness or forced awareness depends on how much space you have in each zone to balance your primary and replica shards. + +Shard allocation awareness +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Shard allocation awareness attempts to spread primary and replica shards across multiple zones. It is used to allocate a replica shard to a zone different from its primary zone. + +In the event of node failure within a zone, you can be rest assured that your replica shards are distributed among your remaining zones. This enhances fault tolerance, safeguarding your data against zone failures and individual node failures. + +To configure shard allocation awareness, update the cluster settings: + +.. code-block:: none + + PUT _cluster/settings + { + "persistent": { + "cluster.routing.allocation.awareness.attributes": "zone" + } + } + +You can either use ``persistent`` or ``transient`` settings. We recommend using the ``persistent`` setting because it persists through a cluster reboot. The ``transient`` setting does not persist through a cluster reboot. + +.. note:: + + If only one zone is available (such as after zone failures), the Wazuh indexer allocates replica shards to the only remaining zone. + +Forced awareness +^^^^^^^^^^^^^^^^^ + +Using the forced awareness implies that primary and replica shards are never allocated to the same zone. + +To configure forced awareness, specify all the possible values for your zone attributes: + +.. code-block:: none + :emphasize-lines: 5 + + PUT _cluster/settings + { + "persistent": { + "cluster.routing.allocation.awareness.attributes": "zone", + "cluster.routing.allocation.awareness.force.zone.values":["zoneA", "zoneB"] + } + } + +In case there are other zones, add the other zones to the ``cluster.routing.allocation.awareness.force.zone.values`` field. + +.. warning:: + + If a node fails, forced awareness does not allocate the replicas to another node in the same zone. Instead, the cluster enters a yellow state and only allocates the replicas when nodes in the other zone(s) come online. + +Allocation filtering +^^^^^^^^^^^^^^^^^^^^^ + +This allows a node to be excluded from shard allocation. A common use case is when you want to decommission a node within a zone. + +To move shards off a node before decommissioning it, create a filter that excludes the node using its IP address. This will move all shards allocated to that node before it is shut down. You can also use a wildcard ``*`` in a situation where there are more than one node within an IP range to be decommissioned. + +.. code-block:: none + :emphasize-lines: 4 + + PUT _cluster/settings + { + "persistent": { + "cluster.routing.allocation.exclude._ip": "192.168.0.*" + } + } + +Set node attributes for each node in a cluster +---------------------------------------------- + +By default, each Wazuh indexer node is a master-eligible, data, ingest, and coordinating node. Deciding on the number of nodes, assigning node types, and choosing the hardware for each node type depends on your use case. + +Cluster manager nodes +^^^^^^^^^^^^^^^^^^^^^ + +Cluster manager nodes manage all cluster-wide configurations and modifications, including adding, removing, and allocating shards to nodes, as well as generating and deleting indices and fields. + +A distributed consensus technique is used to elect a single cluster-manager node from among the cluster-manager eligible nodes. This cluster-manager node is reelected in the event that the incumbent node fails. + +You can specify that a Wazuh indexer node is the cluster manager node, even though this is already done by default. + +Set a Wazuh indexer node role to ``cluster_manager`` by adding the following configuration to the ``/etc/wazuh-indexer/opensearch.yml`` file: + +.. code-block:: yaml + + node.roles: [ cluster_manager ] + +Data nodes +^^^^^^^^^^ + +The data node is responsible for storing and searching data. It performs all data related operations (indexing, searching, aggregating) on local shards. These are the worker nodes of your Wazuh indexer cluster and need more disk space than any other node type. + +Set a Wazuh indexer node role as a data node by adding the following configuration to the ``/etc/wazuh-indexer/opensearch.yml`` file: + +.. code-block:: yaml + + node.roles: [ data, ingest ] + +As you add data nodes it is important to keep them balanced between zones. For example, if you have three zones, add a data node for each zone. We recommend using storage and RAM-heavy nodes. + +Coordinating nodes +^^^^^^^^^^^^^^^^^^ + +The coordinating node delegates client requests to the shards on the data nodes, collects and aggregates the results into one final result, and sends it back to the Wazuh dashboard. + +Every node is a coordinating node by default, however to make a node a dedicated coordinating node, set ``node.roles`` to an empty list: + +.. code-block:: yaml + + node.roles: [] diff --git a/source/user-manual/wazuh-indexer/index.rst b/source/user-manual/wazuh-indexer/index.rst index 11591bbc26..8f723e3c02 100644 --- a/source/user-manual/wazuh-indexer/index.rst +++ b/source/user-manual/wazuh-indexer/index.rst @@ -19,6 +19,5 @@ The Wazuh indexer can be configured as a single-node or multi-node cluster, prov wazuh-indexer-indices re-indexing - index-life-management wazuh-indexer-tuning migrating-wazuh-indices diff --git a/source/user-manual/wazuh-indexer/wazuh-indexer-tuning.rst b/source/user-manual/wazuh-indexer/wazuh-indexer-tuning.rst index 892958cca9..88117c608a 100644 --- a/source/user-manual/wazuh-indexer/wazuh-indexer-tuning.rst +++ b/source/user-manual/wazuh-indexer/wazuh-indexer-tuning.rst @@ -1,7 +1,7 @@ .. Copyright (C) 2015, Wazuh, Inc. .. meta:: - :description: Learn how to change settings to optimize the Wazuh indexer performance in this section of te documentation. + :description: Learn how to change settings to optimize the Wazuh indexer performance in this section of the documentation. Wazuh indexer tuning ==================== @@ -242,135 +242,3 @@ The number of replicas can be changed dynamically using the Wazuh indexer API. I } } }' - -Configure shard allocation awareness or forced awareness --------------------------------------------------------- - -This is most applicable in cases where the Wazuh indexer nodes are spread across geographically dispersed zones. - -To configure awareness, add zone attributes to the ``/etc/wazuh-indexer/opensearch.yml`` file on the Wazuh indexer nodes for the different zones. - -For example: You have two zones named zone A and B. You will add the following configuration to the ``/etc/wazuh-indexer/opensearch.yml`` file on each Wazuh indexer node in zone A and B respectively: - -.. code-block:: yaml - - node.attr.zone: zoneA - -.. code-block:: yaml - - node.attr.zone: zoneB - -Allocation awareness is best used if storage on the Wazuh indexer nodes in zone A and zone B is less than 50% utilized. This allows for adequate storage capacity to allocate replicas in the zone. - -Forced awareness is an option if Wazuh indexer nodes in both zone A and B lack sufficient capacity to store all primary and replica shards. This ensures that if there's a zone failure, the Wazuh indexer won't overwhelm your remaining zone, preventing your cluster from being locked due to storage shortage. - -Choosing allocation awareness or forced awareness depends on how much space you have in each zone to balance your primary and replica shards. - -Shard allocation awareness -^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Shard allocation awareness attempts to spread primary and replica shards across multiple zones. It is used to allocate a replica shard to a zone different from its primary zone. - -In the event of node failure within a zone, you can be rest assured that your replica shards are distributed among your remaining zones. This enhances fault tolerance, safeguarding your data against zone failures and individual node failures. - -To configure shard allocation awareness, update the cluster settings: - -.. code-block:: none - - PUT _cluster/settings - { - "persistent": { - "cluster.routing.allocation.awareness.attributes": "zone" - } - } - -You can either use ``persistent`` or ``transient`` settings. We recommend using the ``persistent`` setting because it persists through a cluster reboot. The ``transient`` setting does not persist through a cluster reboot. - -.. note:: - - If only one zone is available (such as after zone failures), the Wazuh indexer allocates replica shards to the only remaining zone. - -Forced awareness -^^^^^^^^^^^^^^^^^ - -Using the forced awareness implies that primary and replica shards are never allocated to the same zone. - -To configure forced awareness, specify all the possible values for your zone attributes: - -.. code-block:: none - :emphasize-lines: 5 - - PUT _cluster/settings - { - "persistent": { - "cluster.routing.allocation.awareness.attributes": "zone", - "cluster.routing.allocation.awareness.force.zone.values":["zoneA", "zoneB"] - } - } - -In case there are other zones, add the other zones to the ``cluster.routing.allocation.awareness.force.zone.values`` field. - -.. warning:: - - If a node fails, forced awareness does not allocate the replicas to another node in the same zone. Instead, the cluster enters a yellow state and only allocates the replicas when nodes in the other zone(s) come online. - -Allocation filtering -^^^^^^^^^^^^^^^^^^^^^ - -This allows a node to be excluded from shard allocation. A common use case is when you want to decommission a node within a zone. - -To move shards off a node before decommissioning it, create a filter that excludes the node using its IP address. This will move all shards allocated to that node before it is shut down. You can also use a wildcard ``*`` in a situation where there are more than one node within an IP range to be decommissioned. - -.. code-block:: none - :emphasize-lines: 4 - - PUT _cluster/settings - { - "persistent": { - "cluster.routing.allocation.exclude._ip": "192.168.0.*" - } - } - -Set node attributes for each node in a cluster ----------------------------------------------- - -By default, each Wazuh indexer node is a master-eligible, data, ingest, and coordinating node. Deciding on the number of nodes, assigning node types, and choosing the hardware for each node type depends on your use case. - -Cluster manager nodes -^^^^^^^^^^^^^^^^^^^^^ - -Cluster manager nodes manage all cluster-wide configurations and modifications, including adding, removing, and allocating shards to nodes, as well as generating and deleting indices and fields. - -A distributed consensus technique is used to elect a single cluster-manager node from among the cluster-manager eligible nodes. This cluster-manager node is reelected in the event that the incumbent node fails. - -You can specify that a Wazuh indexer node is the cluster manager node, even though this is already done by default. - -Set a Wazuh indexer node role to ``cluster_manager`` by adding the following configuration to the ``/etc/wazuh-indexer/opensearch.yml`` file: - -.. code-block:: yaml - - node.roles: [ cluster_manager ] - -Data nodes -^^^^^^^^^^ - -The data node is responsible for storing and searching data. It performs all data related operations (indexing, searching, aggregating) on local shards. These are the worker nodes of your Wazuh indexer cluster and need more disk space than any other node type. - -Set a Wazuh indexer node role as a data node by adding the following configuration to the ``/etc/wazuh-indexer/opensearch.yml`` file: - -.. code-block:: yaml - - node.roles: [ data, ingest ] - -As you add data nodes it is important to keep them balanced between zones. For example, if you have three zones, add a data node for each zone. We recommend using storage and RAM-heavy nodes. - -Coordinating nodes -^^^^^^^^^^^^^^^^^^ - -The coordinating node delegates client requests to the shards on the data nodes, collects and aggregates the results into one final result, and sends it back to the Wazuh dashboard. - -Every node is a coordinating node by default, however to make a node a dedicated coordinating node, set ``node.roles`` to an empty list: - -.. code-block:: yaml - - node.roles: [] diff --git a/source/user-manual/wazuh-server-cluster.rst b/source/user-manual/wazuh-server-cluster.rst index 363dde8606..e387c5b543 100644 --- a/source/user-manual/wazuh-server-cluster.rst +++ b/source/user-manual/wazuh-server-cluster.rst @@ -108,7 +108,7 @@ Master node 1516 0.0.0.0 - MASTER_NODE_IP + no no @@ -149,7 +149,7 @@ Worker node 1516 0.0.0.0 - MASTER_NODE_IP + no no @@ -229,13 +229,13 @@ Follow the steps below to create Wazuh server certificates using the ``wazuh-cer # node, each one must have a node_type server: - name: wazuh-1 - ip: "" + ip: "" # node_type: master #- name: wazuh-2 - # ip: "" + # ip: "" # node_type: worker #- name: wazuh-3 - # ip: "" + # ip: "" # node_type: worker Where: @@ -243,7 +243,7 @@ Follow the steps below to create Wazuh server certificates using the ``wazuh-cer - ``name`` represents a unique node name. You can choose any. - ``ip`` represents the IP address or DNS name of the node. - ``node type`` represents the node type to configure. Two types are available, master and worker. You can only have one master node per cluster. - - ```` represents the IP address of Wazuh manager nodes (master/worker) + - ```` represents the IP address of Wazuh manager nodes (master/worker) #. Run the script to create the Wazuh server certificates: @@ -292,7 +292,7 @@ Wazuh also gives the ability to create and sign the admin and node(s) certificat You need to use a pre-existing root CA to create Wazuh server certificates: - - If you already have a root CA after generating certificates for the :ref:`Wazuh indexer ` or :doc:`Wazuh dashboard ` nodes. + - If you already have a root CA after generating certificates for the :doc:`Wazuh indexer ` or :doc:`Wazuh dashboard ` nodes. - If you need to re-install a Wazuh server node or add a new node to your Wazuh server cluster. #. Create a ``config.yml`` file. You must specify the details for only the Wazuh server node(s) you want to create certificates for, depending on the cases described in the note above. @@ -383,21 +383,21 @@ We generate new certificates for the Wazuh components in an all-in-one deploymen # Wazuh indexer nodes indexer: - name: - ip: + ip: # Wazuh server nodes server: - name: - ip: + ip: node_type: master - name: - ip: + ip: node_type: worker # Wazuh dashboard nodes dashboard: - name: - ip: + ip: Replace the node names and IP values with your new node names and IP addresses. @@ -428,7 +428,7 @@ We generate new certificates for the Wazuh components in an all-in-one deploymen .. code-block:: console # tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . - # scp wazuh-certificates.tar @: + # scp wazuh-certificates.tar @: This will copy the certificates to the ``/home`` directory of the user on the target system. You can change this to specify a path to your installation directory. @@ -461,10 +461,10 @@ Perform the steps below on your existing Wazuh server node to generate the certi # Wazuh server nodes server: - name: - ip: + ip: node_type: master - name: - ip: + ip: node_type: worker Replace the values with your node names and their corresponding IP addresses. @@ -502,7 +502,7 @@ Perform the steps below on your existing Wazuh server node to generate the certi .. code-block:: console # tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ . - # scp wazuh-certificates.tar @: + # scp wazuh-certificates.tar @: This command copies the certificates to the ``/home`` directory of the target user on the endpoint. You can modify the command to specify a path to your installation directory. @@ -522,21 +522,21 @@ You can follow the steps below to generate fresh certificates if the pre-existin # Wazuh indexer nodes indexer: - name: - ip: + ip: # Wazuh server nodes server: - name: - ip: + ip: node_type: master - name: - ip: + ip: node_type: worker # Wazuh dashboard nodes dashboard: - name: - ip: + ip: #. Download and execute the ``wazuh-certs-tool.sh`` script to create the certificates: @@ -550,7 +550,7 @@ You can follow the steps below to generate fresh certificates if the pre-existin .. code-block:: console # tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ - # scp wazuh-certificates.tar @: + # scp wazuh-certificates.tar @: This command copies the certificates to the ``/home`` directory of the target user on the endpoint. You can modify the command to specify a path to your installation directory. @@ -626,7 +626,7 @@ All-in-one deployment .. code-block:: yaml :emphasize-lines: 1,2,4 - network.host: "" + network.host: "" node.name: "" cluster.initial_master_nodes: - "" @@ -636,7 +636,7 @@ All-in-one deployment .. code-block:: yaml output.elasticsearchhosts: - - :9200 + - :9200 .. note:: @@ -656,7 +656,7 @@ All-in-one deployment .. code-block:: yaml - opensearch.hosts: https://:9200 + opensearch.hosts: https://:9200 #. Edit the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` file and replace the ``url`` value with the IP address or hostname of the Wazuh server master node: @@ -665,10 +665,10 @@ All-in-one deployment hosts: - default: - url: https:// + url: https:// port: 55000 username: wazuh-wui - password: + password: run_as: false #. Edit the Wazuh server configuration file at ``/var/ossec/etc/ossec.conf`` to enable the Wazuh server cluster: @@ -684,7 +684,7 @@ All-in-one deployment 1516 0.0.0.0 - + no no @@ -698,7 +698,7 @@ All-in-one deployment - :ref:`key ` represents a :ref:`key ` used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command ``openssl rand -hex 16``. - :ref:`port ` indicates the destination port for cluster communication. Leave the default as ``1516``. - :ref:`bind_addr ` is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP). - - :ref:`nodes ` is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace ```` with the IP address of your master node. + - :ref:`nodes ` is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace ```` with the IP address of your master node. - :ref:`hidden ` shows or hides the cluster information in the generated alerts. - :ref:`disabled ` indicates whether the node is enabled or disabled in the cluster. This option must be set to no. @@ -796,7 +796,7 @@ Distributed deployment .. code-block:: yaml - network.host: "" + network.host: "" node.name: "" cluster.initial_master_nodes: - "" @@ -806,7 +806,7 @@ Distributed deployment .. code-block:: yaml output.elasticsearchhosts: - - :9200 + - :9200 .. note:: @@ -826,7 +826,7 @@ Distributed deployment .. code-block:: yaml - opensearch.hosts: https://:9200 + opensearch.hosts: https://:9200 #. Edit the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` file located in the Wazuh dashboard node and replace the ``url`` value with the IP address or hostname of the Wazuh server master node: @@ -835,10 +835,10 @@ Distributed deployment hosts: - default: - url: https:// + url: https:// port: 55000 username: wazuh-wui - password: + password: run_as: false #. Edit the Wazuh server configuration file at ``/var/ossec/etc/ossec.conf`` to enable cluster mode: @@ -854,7 +854,7 @@ Distributed deployment 1516 0.0.0.0 - + no no @@ -868,7 +868,7 @@ Distributed deployment - :ref:`key ` represents a :ref:`key ` used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command ``openssl rand -hex 16``. - :ref:`port ` indicates the destination port for cluster communication. Leave the default as ``1516``. - :ref:`bind_addr ` is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP). - - :ref:`nodes ` is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace ```` with the IP address of your master node. + - :ref:`nodes ` is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace ```` with the IP address of your master node. - :ref:`hidden ` shows or hides the cluster information in the generated alerts. - :ref:`disabled ` indicates whether the node is enabled or disabled in the cluster. This option must be set to ``no``. @@ -1073,7 +1073,7 @@ Install and configure Filebeat # Wazuh - Filebeat configuration file output.elasticsearch: - hosts: :9200 + hosts: :9200 protocol: https #. Create a Filebeat keystore to securely store authentication credentials: @@ -1202,7 +1202,7 @@ Configuring the Wazuh server worker nodes 1516 0.0.0.0 - + no no @@ -1216,7 +1216,7 @@ Configuring the Wazuh server worker nodes - ```` represents the :ref:`key created previously ` for the master node. It has to be the same for all the nodes. In case you have an already distributed infrastructure, copy this key from the master node’s ``/var/ossec/etc/ossec.conf`` file. - ```` indicates the destination port for cluster communication. Leave the default as ``1516``. - ```` is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP). - - ```` contain the address of the master node which can be either an IP or a DNS hostname. Replace ```` with the IP address of your master node. + - ```` contain the address of the master node which can be either an IP or a DNS hostname. Replace ```` with the IP address of your master node. - ```` shows or hides the cluster information in the generated alerts. - ```` indicates whether the node is enabled or disabled in the cluster. This option must be set to ``no``. @@ -1261,7 +1261,7 @@ You can also check your new Wazuh server cluster by using the **Wazuh API Consol Access the Wazuh dashboard using the credentials below. -- URL: ``https://`` +- URL: ``https://`` - Username: ``admin`` - Password: ```` or ``admin`` in case you already have a distributed architecture and using the default password. @@ -1364,14 +1364,14 @@ Wazuh agents can be configured to report to a :ref:`load balancer `` block, replace the ```` with the load balancer IP address: +#. Edit the Wazuh agent configuration in ``/var/ossec/etc/ossec.conf`` to add the Load Balancer IP address. In the ```` block, replace the ```` with the load balancer IP address: .. code-block:: xml :emphasize-lines: 3 -
+
@@ -1872,9 +1872,9 @@ Perform the following steps to configure HAProxy to work with a Wazuh server clu backend wazuh_register mode tcp balance leastconn - server master :1515 check - server worker1 :1515 check - server workern :1515 check + server master :1515 check + server worker1 :1515 check + server workern :1515 check # Do not include the following if you will enable HAProxy Helper frontend wazuh_reporting_front @@ -1885,14 +1885,14 @@ Perform the following steps to configure HAProxy to work with a Wazuh server clu backend wazuh_reporting mode tcp balance leastconn - server master :1514 check - server worker1 :1514 check - server worker2 :1514 check + server master :1514 check + server worker1 :1514 check + server worker2 :1514 check Replace: - - ```` with the IP address or DNS of the Wazuh server master node in your cluster. - - ```` with the IP address or DNS of the Wazuh server worker nodes in your cluster. + - ```` with the IP address or DNS of the Wazuh server master node in your cluster. + - ```` with the IP address or DNS of the Wazuh server worker nodes in your cluster. .. raw:: html @@ -2238,7 +2238,7 @@ As an example, you can configure a basic HAProxy helper within an already config 1516 0.0.0.0 - WAZUH-MASTER-ADDRESS + no no @@ -2272,7 +2272,7 @@ As an example, you can configure a basic HAProxy helper within an already config 1516 0.0.0.0 - WAZUH-MASTER-ADDRESS + no no