Managing Multiple Wazuh Clusters with Cross-Cluster Search#

Introduction#

Cross-Cluster Search (CCS) in Wazuh revolutionizes how organizations manage distributed security infrastructures. This capability allows security teams to query and view alerts from multiple remote Wazuh clusters through a single, centralized dashboard - all while maintaining data residency and sovereignty at each location.

For Managed Security Service Providers (MSSPs) and enterprises with distributed operations, CCS provides:

🌐 Unified Visibility: Single pane of glass across multiple clusters
🔒 Data Sovereignty: Logs remain within customer environments
🚀 Scalable Architecture: Add new clusters without data migration
🛡️ Isolated Security: Compromise of one cluster doesn’t affect others
📊 Centralized SOC Operations: Remote monitoring without data replication

Understanding the Challenge#

Traditional Approach Limitations#

1
flowchart TB
2
    subgraph "Traditional Centralized SIEM"
3
        C1[Customer A Data] --> S1[Central SIEM]
4
        C2[Customer B Data] --> S1
5
        C3[Customer C Data] --> S1
6
        S1 --> D1[Single Dashboard]
7
    end
8

9
    subgraph "Challenges"
10
        CH1[Data Residency Issues]
11
        CH2[Bandwidth Costs]
12
        CH3[Single Point of Failure]
13
        CH4[Compliance Concerns]
14
        CH5[Performance Bottlenecks]
15
    end
16

17
    S1 --> CH1
18
    S1 --> CH2
19
    S1 --> CH3
20
    S1 --> CH4
21
    S1 --> CH5
22

23
    style CH1 fill:#ff6b6b
24
    style CH2 fill:#ff6b6b
25
    style CH3 fill:#ff6b6b
26
    style CH4 fill:#ff6b6b
27
    style CH5 fill:#ff6b6b

Cross-Cluster Search Solution#

1
flowchart TB
2
    subgraph "CCS Architecture"
3
        subgraph "Customer A Environment"
4
            A1[Wazuh Agents] --> A2[Wazuh Server A]
5
            A2 --> A3[Wazuh Indexer A]
6
            A3 --> |Data Stays Local| A4[(Local Storage)]
7
        end
8

9
        subgraph "Customer B Environment"
10
            B1[Wazuh Agents] --> B2[Wazuh Server B]
11
            B2 --> B3[Wazuh Indexer B]
12
            B3 --> |Data Stays Local| B4[(Local Storage)]
13
        end
14

15
        subgraph "SOC Environment"
16
            CCS1[CCS Indexer] --> CCS2[CCS Dashboard]
17
            CCS1 -.->|Query Only| A3
18
            CCS1 -.->|Query Only| B3
19
        end
20
    end
21

22
    style A4 fill:#51cf66
23
    style B4 fill:#51cf66
24
    style CCS2 fill:#4dabf7

Real-World Scenario#

Problem Statement#

A cybersecurity operations company providing managed SOC services needs to:

Monitor multiple customer environments from a central location
Keep each customer’s data isolated and within their infrastructure
Maintain strict access controls per customer
Provide unified threat visibility across all customers

Solution Architecture#

We implement three distinct environments:

CCS Environment (Central SOC)
- Wazuh indexer for cross-cluster queries
- Wazuh dashboard for unified visualization
- No local data storage - queries only
Customer Clusters (A & B)
- Complete Wazuh deployment (server + indexer)
- Local data retention
- Trust relationship with CCS only

Infrastructure Requirements#

Component Overview#

Environment	Component	Purpose	Specifications
CCS	Wazuh Indexer	Query coordinator	8GB RAM, 4 CPUs
CCS	Wazuh Dashboard	Unified interface	Shared with indexer
Cluster A	Wazuh Server	Log collection/analysis	8GB RAM, 4 CPUs
Cluster A	Wazuh Indexer	Alert storage	16GB RAM, 4 CPUs
Cluster B	Wazuh Server	Log collection/analysis	8GB RAM, 4 CPUs
Cluster B	Wazuh Indexer	Alert storage	16GB RAM, 4 CPUs

Network Architecture#

1
flowchart LR
2
    subgraph "Network Topology"
3
        subgraph "SOC Network (192.168.186.0/24)"
4
            CCS[CCS Environment<br/>192.168.186.60]
5
        end
6

7
        subgraph "Customer A Network (192.168.10.0/24)"
8
            CA_S[Wazuh Server<br/>192.168.10.100]
9
            CA_I[Wazuh Indexer<br/>192.168.10.101]
10
            CA_S --> CA_I
11
        end
12

13
        subgraph "Customer B Network (192.168.20.0/24)"
14
            CB_S[Wazuh Server<br/>192.168.20.100]
15
            CB_I[Wazuh Indexer<br/>192.168.20.101]
16
            CB_S --> CB_I
17
        end
18

19
        CCS -.->|Port 9300<br/>TLS| CA_I
20
        CCS -.->|Port 9300<br/>TLS| CB_I
21
    end

Implementation Guide#

Phase 1: CCS Environment Setup#

Generate Root CA and Certificates#

1
# Download certificate generation tools
2
curl -sO https://packages.wazuh.com/4.8/wazuh-certs-tool.sh
3
curl -sO https://packages.wazuh.com/4.8/config.yml
4

5
# Configure CCS nodes
6
cat > config.yml << EOF
7
nodes:
8
  indexer:
9
    - name: ccs-wazuh-indexer-1
10
      ip: "192.168.186.60"
11
  dashboard:
12
    - name: ccs-wazuh-dashboard
13
      ip: "192.168.186.60"
14
EOF
15

16
# Generate certificates including root CA
17
bash ./wazuh-certs-tool.sh -A
18

19
# Package certificates
20
tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .

Install CCS Wazuh Indexer#

1
# Install dependencies and Wazuh repository
2
yum install -y coreutils
3
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
4
echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
5

6
# Install Wazuh indexer
7
yum -y install wazuh-indexer

Configure /etc/wazuh-indexer/opensearch.yml:

1
network.host: "192.168.186.60"
2
node.name: "ccs-wazuh-indexer-1"
3
cluster.initial_master_nodes:
4
  - "ccs-wazuh-indexer-1"
5
cluster.name: "ccs-cluster"
6

7
# Security configuration
8
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
9
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
10
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
11
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
12
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
13
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
14

15
# Trust configuration
16
plugins.security.authcz.admin_dn:
17
  - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
18
plugins.security.nodes_dn:
19
  - "CN=ccs-wazuh-indexer-1,OU=Wazuh,O=Wazuh,L=California,C=US"

Deploy certificates and start service:

1
# Deploy certificates
2
NODE_NAME=ccs-wazuh-indexer-1
3
mkdir /etc/wazuh-indexer/certs
4
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ \
5
    ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
6
mv /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
7
mv /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
8
chmod 500 /etc/wazuh-indexer/certs
9
chmod 400 /etc/wazuh-indexer/certs/*
10
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
11

12
# Start service
13
systemctl enable wazuh-indexer
14
systemctl start wazuh-indexer
15

16
# Initialize security
17
/usr/share/wazuh-indexer/bin/indexer-security-init.sh

Install CCS Wazuh Dashboard#

1
# Install dependencies
2
yum install libcap
3

4
# Install Wazuh dashboard
5
yum -y install wazuh-dashboard

Configure /etc/wazuh-dashboard/opensearch_dashboards.yml:

1
server.host: 0.0.0.0
2
server.port: 443
3
opensearch.hosts: "https://192.168.186.60:9200"
4
opensearch.ssl.verificationMode: certificate

Configure multi-cluster access in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml:

1
hosts:
2
  - Cluster A:
3
      url: https://192.168.10.100
4
      port: 55000
5
      username: wazuh-wui
6
      password: wazuh-wui
7
      run_as: true
8
  - Cluster B:
9
      url: https://192.168.20.100
10
      port: 55000
11
      username: wazuh-wui
12
      password: wazuh-wui
13
      run_as: true

Phase 2: Remote Cluster Setup (Customer A)#

Generate Cluster Certificates Using Root CA#

1
# Copy root CA from CCS environment
2
scp user@192.168.186.60:~/wazuh-certificates/root-ca.* .
3

4
# Create cluster A configuration
5
cat > config.yml << EOF
6
nodes:
7
  indexer:
8
    - name: ca-wazuh-indexer-1
9
      ip: "192.168.10.101"
10
  server:
11
    - name: ca-wazuh-server-1
12
      ip: "192.168.10.100"
13
EOF
14

15
# Generate certificates using existing root CA
16
bash ./wazuh-certs-tool.sh -A ./root-ca.pem ./root-ca.key

Configure Cluster A Indexer with CCS Trust#

Edit /etc/wazuh-indexer/opensearch.yml:

1
network.host: "192.168.10.101"
2
node.name: "ca-wazuh-indexer-1"
3
cluster.name: "ca-cluster"
4

5
# Critical: Add CCS indexer to trusted nodes
6
plugins.security.nodes_dn:
7
  - "CN=ca-wazuh-indexer-1,OU=Wazuh,O=Wazuh,L=California,C=US"
8
  - "CN=ccs-wazuh-indexer-1,OU=Wazuh,O=Wazuh,L=California,C=US"  # CCS trust

Phase 3: Enable Cross-Cluster Search#

Access the CCS Wazuh dashboard and configure remote clusters:

1
PUT _cluster/settings
2
{
3
  "persistent": {
4
    "cluster.remote": {
5
      "ca-wazuh-indexer-1": {
6
        "seeds": ["192.168.10.101:9300"]
7
      },
8
      "cb-wazuh-indexer-1": {
9
        "seeds": ["192.168.20.101:9300"]
10
      }
11
    }
12
  }
13
}

Test connectivity:

1
GET ca-wazuh-indexer-1:wazuh-alerts-*/_search
2
{
3
  "query": {
4
    "match_all": {}
5
  },
6
  "size": 1
7
}

Phase 4: Configure Unified Index Patterns#

Create CCS Alert Pattern#

Navigate to ☰ > Dashboard management > Index patterns
Create pattern: *:wazuh-alerts-*
Select timestamp as time field
Set as default in App Settings

Create CCS Vulnerability Pattern#

Create pattern: *:wazuh-states-vulnerabilities-*
Select package.installed as time field
Configure in App Settings > Vulnerabilities

Advanced Configuration#

Security Hardening#

1. Network Isolation#

1
# Firewall rules for CCS indexer
2
firewall-cmd --permanent --add-rich-rule='
3
  rule family="ipv4"
4
  source address="192.168.10.101/32"
5
  port protocol="tcp" port="9300" accept'
6

7
firewall-cmd --permanent --add-rich-rule='
8
  rule family="ipv4"
9
  source address="192.168.20.101/32"
10
  port protocol="tcp" port="9300" accept'
11

12
firewall-cmd --reload

2. Certificate Pinning#

1
# Enhanced security in opensearch.yml
2
plugins.security.ssl.transport.truststore_type: PKCS12
3
plugins.security.ssl.transport.truststore_filepath: /etc/wazuh-indexer/certs/truststore.p12
4
plugins.security.ssl.transport.truststore_password: ${TRUSTSTORE_PASSWORD}
5
plugins.security.ssl.transport.enforce_hostname_verification: true

Performance Optimization#

1. Query Optimization#

1
# Limit CCS query scope
2
GET ca-wazuh-indexer-1:wazuh-alerts-*/_search
3
{
4
  "query": {
5
    "bool": {
6
      "filter": [
7
        {
8
          "range": {
9
            "timestamp": {
10
              "gte": "now-1h"
11
            }
12
          }
13
        },
14
        {
15
          "term": {
16
            "rule.level": {
17
              "value": 10
18
            }
19
          }
20
        }
21
      ]
22
    }
23
  },
24
  "size": 100,
25
  "_source": ["timestamp", "rule", "agent", "data"]
26
}

2. Network Optimization#

1
# CCS connection pooling
2
cluster.remote.ca-wazuh-indexer-1:
3
  seeds: ["192.168.10.101:9300"]
4
  connections_per_cluster: 3
5
  socket_timeout: 60s
6
  ping_schedule: 30s

Monitoring and Troubleshooting#

Health Check Script#

1
#!/bin/bash
2
echo "=== CCS Health Check ==="
3

4
# Check CCS indexer
5
echo -n "CCS Indexer: "
6
curl -s -k -u admin:admin https://192.168.186.60:9200/_cluster/health | \
7
  jq -r .status
8

9
# Check remote cluster connectivity
10
for cluster in "ca-wazuh-indexer-1" "cb-wazuh-indexer-1"; do
11
  echo -n "$cluster connectivity: "
12
  curl -s -k -u admin:admin \
13
    "https://192.168.186.60:9200/_remote/info" | \
14
    jq -r ".[\"$cluster\"].connected"
15
done
16

17
# Check index patterns
18
echo "Available indices:"
19
curl -s -k -u admin:admin \
20
  "https://192.168.186.60:9200/_cat/indices/*:wazuh-alerts-*?v"

Common Issues and Solutions#

Issue 1: Remote cluster not connected

1
# Verify network connectivity
2
nc -zv 192.168.10.101 9300
3

4
# Check certificates
5
openssl s_client -connect 192.168.10.101:9300 -showcerts
6

7
# Review logs
8
tail -f /var/log/wazuh-indexer/wazuh-cluster.log

Issue 2: Authentication failures

1
# Verify DN in remote cluster
2
grep nodes_dn /etc/wazuh-indexer/opensearch.yml
3

4
# Test with admin certificate
5
curl -k --cert admin.pem --key admin-key.pem \
6
  https://192.168.10.101:9200/_cluster/health

Best Practices#

1. Certificate Management#

1
# Automated certificate rotation script
2
#!/bin/bash
3
CERT_DIR="/etc/wazuh-indexer/certs"
4
DAYS_BEFORE_EXPIRY=30
5

6
# Check certificate expiration
7
for cert in $CERT_DIR/*.pem; do
8
  if openssl x509 -checkend $((DAYS_BEFORE_EXPIRY * 24 * 3600)) \
9
     -noout -in "$cert"; then
10
    echo "$cert is expiring soon"
11
    # Trigger certificate renewal process
12
  fi
13
done

2. Access Control Matrix#

1
# Role-based access per cluster
2
roles:
3
  cluster_a_analyst:
4
    cluster_permissions:
5
      - "cluster:monitor/remote/info"
6
    index_permissions:
7
      - index_patterns:
8
          - "ca-wazuh-indexer-1:wazuh-alerts-*"
9
        allowed_actions:
10
          - "read"
11
          - "search"
12

13
  cluster_b_analyst:
14
    cluster_permissions:
15
      - "cluster:monitor/remote/info"
16
    index_permissions:
17
      - index_patterns:
18
          - "cb-wazuh-indexer-1:wazuh-alerts-*"
19
        allowed_actions:
20
          - "read"
21
          - "search"

3. Monitoring Dashboard#

Create visualizations for CCS operations:

1
{
2
  "visualization": {
3
    "title": "Cross-Cluster Alert Distribution",
4
    "visState": {
5
      "type": "pie",
6
      "params": {
7
        "addTooltip": true,
8
        "addLegend": true,
9
        "legendPosition": "right"
10
      },
11
      "aggs": [
12
        {
13
          "id": "1",
14
          "type": "count",
15
          "schema": "metric"
16
        },
17
        {
18
          "id": "2",
19
          "type": "terms",
20
          "schema": "segment",
21
          "params": {
22
            "field": "_index",
23
            "size": 10,
24
            "order": "desc",
25
            "orderBy": "1"
26
          }
27
        }
28
      ]
29
    }
30
  }
31
}

Use Cases and Benefits#

MSSP Operations#

1
flowchart TB
2
    subgraph "MSSP SOC"
3
        SOC1[Tier 1 Analyst] --> DASH[CCS Dashboard]
4
        SOC2[Tier 2 Analyst] --> DASH
5
        SOC3[Incident Response] --> DASH
6
    end
7

8
    subgraph "Customer Environments"
9
        DASH -.->|Monitor| C1[Banking Customer]
10
        DASH -.->|Monitor| C2[Healthcare Customer]
11
        DASH -.->|Monitor| C3[Retail Customer]
12
    end
13

14
    subgraph "Benefits"
15
        B1[Unified Monitoring]
16
        B2[Data Isolation]
17
        B3[Scalable Growth]
18
        B4[Compliance Ready]
19
    end
20

21
    style B1 fill:#51cf66
22
    style B2 fill:#51cf66
23
    style B3 fill:#51cf66
24
    style B4 fill:#51cf66

Enterprise Multi-Region Deployment#

1
# Global CCS configuration
2
cluster.remote:
3
  us-east-cluster:
4
    seeds: ["10.0.1.100:9300"]
5
    skip_unavailable: true
6

7
  eu-west-cluster:
8
    seeds: ["10.1.1.100:9300"]
9
    skip_unavailable: true
10

11
  apac-cluster:
12
    seeds: ["10.2.1.100:9300"]
13
    skip_unavailable: true

Scaling Considerations#

Adding New Clusters#

1
# Automated cluster onboarding script
2
#!/bin/bash
3
CLUSTER_NAME=$1
4
CLUSTER_IP=$2
5

6
# Add to CCS configuration
7
curl -X PUT "https://192.168.186.60:9200/_cluster/settings" \
8
  -H "Content-Type: application/json" \
9
  -d '{
10
    "persistent": {
11
      "cluster.remote.'$CLUSTER_NAME'": {
12
        "seeds": ["'$CLUSTER_IP':9300"]
13
      }
14
    }
15
  }'
16

17
# Create index pattern
18
curl -X POST "https://192.168.186.60:5601/api/saved_objects/index-pattern" \
19
  -H "Content-Type: application/json" \
20
  -H "kbn-xsrf: true" \
21
  -d '{
22
    "attributes": {
23
      "title": "'$CLUSTER_NAME':wazuh-alerts-*",
24
      "timeFieldName": "timestamp"
25
    }
26
  }'

Performance Metrics#

Monitor CCS performance:

1
GET _nodes/stats/transport
2
{
3
  "nodes": {
4
    "...": {
5
      "transport": {
6
        "remote": {
7
          "ca-wazuh-indexer-1": {
8
            "success_count": 15234,
9
            "failure_count": 2,
10
            "avg_response_time": "45ms"
11
          }
12
        }
13
      }
14
    }
15
  }
16
}

Security Recommendations#

1. Network Segmentation#

Use dedicated VLANs for CCS traffic
Implement VPN tunnels for WAN connections
Enable mTLS for all communications

2. Audit Trail#

1
# Enable CCS audit logging
2
PUT _cluster/settings
3
{
4
  "persistent": {
5
    "plugins.security.audit.type": "internal_opensearch",
6
    "plugins.security.audit.config.disabled_rest_categories": [],
7
    "plugins.security.audit.config.disabled_transport_categories": []
8
  }
9
}

3. Regular Security Reviews#

Monthly certificate rotation
Quarterly access reviews
Annual penetration testing

Conclusion#

Cross-Cluster Search transforms Wazuh into a powerful multi-tenant security platform, enabling:

✅ Centralized monitoring without data centralization
🏢 Multi-organization support with complete isolation
🌍 Geographic distribution with local data residency
📈 Linear scalability by adding clusters
🔐 Enhanced security through isolation

This architecture is ideal for MSSPs, large enterprises, and organizations with strict data residency requirements, providing the best of both worlds: unified visibility with distributed control.

Key Takeaways#

Data Sovereignty: Customer data never leaves their environment
Scalable Architecture: Add clusters without impacting existing ones
Security First: Each cluster maintains its own security boundary
Operational Efficiency: Single dashboard for multi-cluster operations
Compliance Ready: Meets data residency and isolation requirements

Resources#

Unified security visibility across boundaries. Scale without limits! 🚀