Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize LB use #318

Open
vcerenu opened this issue Jan 30, 2023 · 6 comments · May be fixed by #575
Open

Optimize LB use #318

vcerenu opened this issue Jan 30, 2023 · 6 comments · May be fixed by #575
Assignees
@vcerenu
Labels
level/task Task issue type/bug

Comments

@vcerenu
Copy link
Member

vcerenu commented Jan 30, 2023

Now the Wazuh deployment with Kubernetes uses 4 Load Balancers, 1 for each service deployed. Investigating how to use a lower quantity of Load Balancer resources in the Wazuh deployment is necessary.
@bmm-alc
Copy link

bmm-alc commented Nov 17, 2023

Hello, any feedback on this ?

thanks

@vcerenu
Copy link
Member Author

vcerenu commented Jan 24, 2024

We proceed to investigate the most efficient way to use Load Balancers in AWS

It was thought to use 2 LB, one internal and one external. For this the decision was made to use 2 Network LB instead of 4 Classic LB.

To use NLB it was investigated and it is necessary to install AWS Load Balancers Controller as a prerequisite https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html

We proceeded to install it and then proceeded to modify the services, for this we proceeded to create 2 new LBs:

External LB:

apiVersion: v1
kind: Service
metadata:
  name: wazuh-external-lb
  namespace: wazuh
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
    service.beta.kubernetes.io/aws-load-balancer-name: wazuh-external-lb
spec:
  type: LoadBalancer
  ports:
  - name: manager-worker-agents-events
    port: 1514
    targetPort: agents-events
  - name: manager-cluster
    port: 1516
    targetPort: cluster-port
  - name: manager-master-registration
    port: 1515
    targetPort: registration
  - name: manager-master-api
    port: 55000
    targetPort: api-port
  - name: dashboard
    port: 443
    targetPort: dashboard-port
  selector:
    lbtype: external

Internal LB:

apiVersion: v1
kind: Service
metadata:
  name: wazuh-internal-lb
  namespace: wazuh
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: internal
    service.beta.kubernetes.io/aws-load-balancer-scheme: internal
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
    service.beta.kubernetes.io/aws-load-balancer-name: wazuh-internal-lb
spec:
  type: LoadBalancer
  ports:
  - name: indexer-rest
    port: 9200
    targetPort: indexer-rest
  - name: indexer-nodes
    port: 9300
    targetPort: indexer-nodes
  selector:
    lbtype: internal
    app: wazuh-indexer

The CN of the certificates created for each of the services was modified, according to what LB uses:

generate_certs.sh:

echo "* Node cert"

echo "create: node-key-temp.pem"

openssl genrsa -out node-key-temp.pem 2048

echo "create: node-key.pem"

openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem

echo "create: node.csr"

openssl req -days 3650 -new -key node-key.pem -out node.csr -subj "/C=US/L=California/O=Company/CN=wazuh-internal-lb"

echo "create: node.pem"

openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

echo "* dashboard cert"

echo "create: dashboard-key-temp.pem"

openssl genrsa -out dashboard-key-temp.pem 2048

echo "create: dashboard-key.pem"

openssl pkcs8 -inform PEM -outform PEM -in dashboard-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out dashboard-key.pem

echo "create: dashboard.csr"

openssl req -days 3650 -new -key dashboard-key.pem -out dashboard.csr -subj "/C=US/L=California/O=Company/CN=wazuh-external-lb"

echo "create: dashboard.pem"

openssl x509 -req -days 3650 -in dashboard.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out dashboard.pem



echo "* Filebeat cert"

echo "create: filebeat-key-temp.pem"

openssl genrsa -out filebeat-key-temp.pem 2048

echo "create: filebeat-key.pem"

openssl pkcs8 -inform PEM -outform PEM -in filebeat-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out filebeat-key.pem

echo "create: filebeat.csr"

openssl req -days 3650 -new -key filebeat-key.pem -out filebeat.csr -subj "/C=US/L=California/O=Company/CN=wazuh-external-lb"

echo "create: filebeat.pem"

openssl x509 -req -days 3650 -in filebeat.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out filebeat.pem

Additionally, some metadata was added to the deployments and statefulset used for the stack deployment:

spec:
  selector:
    matchLabels:
      lbtype: external / internal
spec:
  template:
    metadata:
      labels:
        lbtype: external

All variables that had routes pointing to other services or pods were also modified, since the previous services are no longer available:

          env:
            - name: INDEXER_URL
              value: 'https://wazuh-internal-lb:9200'
            - name: WAZUH_API_URL
              value: https://wazuh-external-lb
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh-internal-lb:9200

A separate version of this deployment is being analyzed, since it is not compatible with a deployment in an on-premise environment.

@vcerenu
Copy link
Member Author

vcerenu commented Jan 25, 2024

An attempt was made to connect an agent to the Wazuh stack, which registered correctly but then did not send information, it was verified within the agent log and it had problems connecting to port 1514:

2024/01/25 11:49:13 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2024/01/25 11:49:13 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2024/01/25 11:49:13 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/01/25 11:49:13 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2024/01/25 11:49:13 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2024/01/25 11:49:13 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2024/01/25 11:49:13 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2024/01/25 11:49:13 wazuh-logcollector: INFO: Started (pid: 12318).
2024/01/25 11:49:14 wazuh-modulesd: INFO: Started (pid: 12335).
2024/01/25 11:49:14 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/01/25 11:49:14 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/01/25 11:49:14 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/01/25 11:49:14 wazuh-modulesd:control: INFO: Starting control thread.
2024/01/25 11:49:14 sca: INFO: Module started.
2024/01/25 11:49:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/01/25 11:49:14 sca: INFO: Starting Security Configuration Assessment scan.
2024/01/25 11:49:15 wazuh-modulesd:syscollector: INFO: Module started.
2024/01/25 11:49:15 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/01/25 11:49:15 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/01/25 11:49:15 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/01/25 11:49:32 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/01/25 11:49:32 wazuh-agentd: INFO: Using AES as encryption method.
2024/01/25 11:49:32 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:49:43 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:49:43 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:49:53 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:49:53 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:05 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:05 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:15 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:15 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:16 wazuh-agentd: INFO: Requesting a key from server: wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com
2024/01/25 11:50:16 wazuh-agentd: INFO: Using agent name as: server1
2024/01/25 11:50:16 wazuh-agentd: INFO: Waiting for server reply
2024/01/25 11:50:17 wazuh-agentd: ERROR: Duplicate agent name: server1 (from manager)
2024/01/25 11:50:17 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/25 11:50:27 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: 'wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com'. Ensure that the manager version is 'v4.7.2' or higher.
2024/01/25 11:50:27 wazuh-agentd: WARNING: Unable to connect to any server.
2024/01/25 11:50:27 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:27 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:37 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:37 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:47 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:48 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:58 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:50:58 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:51:08 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:51:08 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:51:09 wazuh-agentd: INFO: Requesting a key from server: wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com
2024/01/25 11:51:09 wazuh-agentd: INFO: Using agent name as: server1
2024/01/25 11:51:09 wazuh-agentd: INFO: Waiting for server reply
2024/01/25 11:51:10 wazuh-agentd: ERROR: Duplicate agent name: server1 (from manager)
2024/01/25 11:51:10 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/25 11:51:20 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: 'wazuh-external-lb-31d2bc98d103d26d.elb.us-west-1.amazonaws.com'. Ensure that the manager version is 'v4.7.2' or higher.
2024/01/25 11:51:20 wazuh-agentd: WARNING: Unable to connect to any server.

We proceeded to try adding the Wazuh manager master node within the balancer of port 1514 and when the LB matched with the master it could communicate, later if it matched with any worker node communication was lost and it failed again:

2024/01/25 11:32:15 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/01/25 11:32:15 wazuh-agentd: INFO: Using AES as encryption method.
2024/01/25 11:32:15 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:26 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:26 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:36 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:36 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:47 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:47 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:58 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:32:58 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:33:09 wazuh-agentd: INFO: Requesting a key from server: wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com
2024/01/25 11:33:13 wazuh-agentd: INFO: Using agent name as: server1
2024/01/25 11:33:13 wazuh-agentd: INFO: Waiting for server reply
2024/01/25 11:33:13 wazuh-agentd: ERROR: SSL read (unable to receive message)
2024/01/25 11:33:13 wazuh-agentd: ERROR: If Agent verification is enabled, agent key and certificates may be incorrect!
2024/01/25 11:33:23 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: 'wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com'. Ensure that the manager version is 'v4.7.2' or higher.
2024/01/25 11:33:23 wazuh-agentd: WARNING: Unable to connect to any server.
2024/01/25 11:33:23 wazuh-agentd: INFO: Closing connection to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:33:23 wazuh-agentd: INFO: Trying to connect to server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:33:23 wazuh-agentd: INFO: (4102): Connected to the server ([wazuh-external-lb-9bb0531434bab5b5.elb.us-west-1.amazonaws.com]:1514/tcp).
2024/01/25 11:33:26 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing...
2024/01/25 11:33:26 rootcheck: INFO: Starting rootcheck scan.
2024/01/25 11:33:26 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/01/25 11:33:26 sca: INFO: Security Configuration Assessment scan finished. Duration: 89 seconds.
2024/01/25 11:33:27 wazuh-modulesd: INFO: Agent is now online. Process unlocked, continuing...
2024/01/25 11:33:28 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/01/25 11:33:28 wazuh-syscheckd: INFO: FIM sync module started.
2024/01/25 11:33:29 wazuh-agentd: INFO: Agent is restarting due to shared configuration changes.
2024/01/25 11:33:29 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2024/01/25 11:33:29 wazuh-modulesd:syscollector: INFO: Module finished.
2024/01/25 11:33:29 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/01/25 11:33:30 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2024/01/25 11:33:30 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/01/25 11:33:30 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/01/25 11:33:30 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2024/01/25 11:33:30 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/01/25 11:33:32 wazuh-execd: INFO: Started (pid: 9948).

It was verified and there was no connection between the worker nodes and the master:

root@wazuh-manager-master-0:/var/ossec/bin# ./cluster_control -l
4NAME                  TYPE    VERSION  ADDRESS                                     
wazuh-manager-master  master  4.7.2    wazuh-manager-master-0.wazuh-cluster.wazuh  
2024/01/25 11:49:34 INFO: [Worker] [Main] Connection from ('192.168.16.48', 40927)
2024/01/25 11:49:34 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:34 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:36 INFO: [Worker] [Main] Connection from ('192.168.57.15', 9799)
2024/01/25 11:49:36 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:36 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:38 INFO: [Worker] [Main] Connection from ('192.168.16.48', 28667)
2024/01/25 11:49:38 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:38 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:40 INFO: [Master] [Local integrity] Starting.
2024/01/25 11:49:40 INFO: [Master] [Local integrity] Finished in 0.005s. Calculated metadata of 34 files.
2024/01/25 11:49:40 INFO: [Worker] [Main] Connection from ('192.168.6.183', 25428)
2024/01/25 11:49:40 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:40 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:41 INFO: [Master] [Local agent-groups] Starting.
2024/01/25 11:49:41 INFO: [Master] [Local agent-groups] No clients connected. Skipping.
2024/01/25 11:49:43 INFO: [Worker] [Main] Connection from ('192.168.6.183', 24791)
2024/01/25 11:49:43 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:43 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:46 INFO: [Worker] [Main] Connection from ('192.168.6.183', 14125)
2024/01/25 11:49:46 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:46 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:48 INFO: [Master] [Local integrity] Starting.
2024/01/25 11:49:48 INFO: [Master] [Local integrity] Finished in 0.004s. Calculated metadata of 34 files.
2024/01/25 11:49:49 INFO: [Worker] [Main] Connection from ('192.168.44.82', 49480)
2024/01/25 11:49:49 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:49 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:50 INFO: [Worker] [Main] Connection from ('192.168.6.183', 37249)
2024/01/25 11:49:50 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:50 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:51 INFO: [Master] [Local agent-groups] Starting.
2024/01/25 11:49:51 INFO: [Master] [Local agent-groups] No clients connected. Skipping.
2024/01/25 11:49:53 INFO: [Worker] [Main] Connection from ('192.168.57.15', 26548)
2024/01/25 11:49:53 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:53 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:53 INFO: [Worker] [Main] Connection from ('192.168.6.183', 57903)
2024/01/25 11:49:53 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:53 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:54 INFO: [Worker] [Main] Connection from ('192.168.16.48', 43170)
2024/01/25 11:49:54 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:54 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:49:56 INFO: [Master] [Local integrity] Starting.
2024/01/25 11:49:56 INFO: [Master] [Local integrity] Finished in 0.004s. Calculated metadata of 34 files.
2024/01/25 11:49:56 INFO: [Worker] [Main] Connection from ('192.168.57.15', 21052)
2024/01/25 11:49:56 ERROR: [Worker] [Main] Error during handshake with incoming connection.
2024/01/25 11:49:56 INFO: [Worker] [Main] Cancelling pending tasks.
2024/01/25 11:50:01 INFO: [Worker] [Main] Connection from ('192.168.16.48', 5340)
2024/01/25 11:50:01 ERROR: [Worker] [Main] Error during handshake with incoming connection.

It was reviewed and there was no correct connection from the worker nodes to the manager, so the ClusterIP that existed on port 1516 was created again so that there can be communication between the Wazuh manager nodes:

apiVersion: v1
kind: Service
metadata:
  name: wazuh-cluster
  namespace: wazuh
  labels:
    app: wazuh-manager
spec:
  selector:
    app: wazuh-manager
  ports:
    - name: cluster
      port: 1516
      targetPort: 1516
  clusterIP: None

After carrying out this deployment of the service, the connection with the Wazuh manager cliuster nodes began to work well and the agent was able to send information:

Wazuh manager master:

2024/01/25 13:06:42 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Finished in 0.008s. Sync not required.
2024/01/25 13:06:43 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Starting.
2024/01/25 13:06:43 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Finished in 0.002s. Updated 0 chunks.
2024/01/25 13:06:47 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Starting.
2024/01/25 13:06:47 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Finished in 0.002s. Updated 1 chunks.
2024/01/25 13:06:51 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Starting.
2024/01/25 13:06:51 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Finished in 0.009s. Sync not required.
2024/01/25 13:06:53 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Starting.
2024/01/25 13:06:53 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Finished in 0.002s. Updated 0 chunks.
2024/01/25 13:06:57 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Starting.
2024/01/25 13:06:57 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Finished in 0.002s. Updated 1 chunks.
2024/01/25 13:07:00 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Starting.
2024/01/25 13:07:00 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Finished in 0.009s. Sync not required.
2024/01/25 13:07:03 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Starting.
2024/01/25 13:07:03 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Finished in 0.002s. Updated 0 chunks.
2024/01/25 13:07:07 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Starting.
2024/01/25 13:07:07 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Finished in 0.002s. Updated 1 chunks.
2024/01/25 13:07:09 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Starting.
2024/01/25 13:07:09 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Finished in 0.008s. Sync not required.
2024/01/25 13:07:13 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Starting.
2024/01/25 13:07:13 INFO: [Worker wazuh-manager-worker-0] [Agent-info sync] Finished in 0.002s. Updated 0 chunks.
2024/01/25 13:07:17 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Starting.
2024/01/25 13:07:17 INFO: [Worker wazuh-manager-worker-0] [Agent-groups recv] Finished in 0.002s. Updated 1 chunks.
2024/01/25 13:07:18 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Starting.
2024/01/25 13:07:18 INFO: [Worker wazuh-manager-worker-0] [Integrity check] Finished in 0.009s. Sync not required.

Wazuh agent:

2024/01/25 13:09:37 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2024/01/25 13:09:37 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/01/25 13:09:37 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2024/01/25 13:09:37 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2024/01/25 13:09:37 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2024/01/25 13:09:37 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2024/01/25 13:09:37 wazuh-logcollector: INFO: Started (pid: 14948).
2024/01/25 13:09:37 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/01/25 13:09:37 wazuh-syscheckd: INFO: FIM sync module started.
2024/01/25 13:09:38 wazuh-modulesd: INFO: Started (pid: 14987).
2024/01/25 13:09:38 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/01/25 13:09:38 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/01/25 13:09:38 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/01/25 13:09:38 wazuh-modulesd:control: INFO: Starting control thread.
2024/01/25 13:09:38 sca: INFO: Module started.
2024/01/25 13:09:38 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/01/25 13:09:38 sca: INFO: Starting Security Configuration Assessment scan.
2024/01/25 13:09:38 wazuh-modulesd:syscollector: INFO: Module started.
2024/01/25 13:09:38 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/01/25 13:09:38 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/01/25 13:09:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/01/25 13:09:42 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/01/25 13:09:42 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds.
2024/01/25 13:09:54 rootcheck: INFO: Ending rootcheck scan.

Once the correct functioning of the Wazuh stack was verified, the deployment files were reorganized, leaving the local-env directory pointing to the manifests of the wazuh directory as it was after the changes, an eks directory that also points to the wazuh directory in case you want to keep the old version of the deployment and a new eks-nlb directory which points to a new wazuh-eks directory, which contains all the changes we have made:

image

image

image

image

image

@vcerenu vcerenu linked a pull request Jan 31, 2024 that will close this issue
Draft
@vcerenu vcerenu linked a pull request Jan 31, 2024 that will close this issue
Add a new option for LB deploy in EKS #575
Draft
@gecube
Copy link

gecube commented Feb 1, 2024

@vcerenu Hi! Great job! Thanks. Also do you consider using of Ingress or similar way of publishing the Wazuh? I'll explain my use case.

  • we have separate amazon account, each purposed for one environment
  • in single amazon account could be 1+ cluster
  • wazuh is installed on top of each cluster and wazuh agents run on all nodes and joins to Wazuh by internal cluster IP
  • so I removed everywhere LBs and changed the type of services back to ClusterIP
  • also I have in each cluster two Ingress controllers - one for external traffic and one for internal traffic.

So I really wonder why we need a dedicated LBs for Wazuh. Any considerations / ideas ?

@bmm-alc
Copy link

bmm-alc commented Feb 26, 2024

sorry to hi-jack this PR but
1, as a user of another provider than google or aws
2, as I see there is GKE branch PR lingering without feedback
3. and as this PR to create a eks-nlb various coming and duplicating a good part of the manifests)

That would be more efficient to create an (base/production) overlay freed from any feature from cloud provider that would serve as a base, and build eks/gke from it ?

@gecube
Copy link

gecube commented Feb 26, 2024

@bmm-alc Hi! Totally agree with you. Thanks for your idea!

Facu-hub-code added a commit to Marvel-Advisors-LLC/wazuh-kubernetes-old that referenced this issue Jun 19, 2024
@Facu-hub-code
try issue wazuh#318
1afb112
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vcerenu vcerenu

Labels
level/task Task issue type/bug
Projects
Release 5.0.0
Status: Backlog
Milestone
No milestone
5 participants
@gecube @teddytpc1 @davidjiglesias @vcerenu @bmm-alc