1. Cluster Configuration Overview #
The cluster configuration involves defining the roles of the Argus nodes (master or worker), configuring network settings for communication between them, and enabling the cluster feature itself. The configuration is managed through the ossec.conf file and the dedicated cluster configuration file (cluster.conf).
- Master node: The node responsible for coordinating the cluster, distributing agent data, and handling configuration syncs.
- Worker node: These handle agents and log collection, forwarding the data to the master node.
2. Location of Cluster Configuration #
The cluster configuration is typically found in:
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cluster.conf
- The ossec.conf file contains the main configuration for Argus, including enabling the cluster mode.
- The cluster.conf file is dedicated to the settings specific to the cluster, such as the role of the node, IP addresses, and ports.
3. Enabling Cluster in ossec.conf #
To enable clustering, you need to modify the ossec.conf file and set the <cluster> tag to enable the cluster mode:
<cluster>
<name>argus-cluster</name>
<node_name>master-node</node_name>
<node_type>master</node_type>
<key>your-cluster-key</key>
<port>1516</port>
<bind_addr>192.168.1.100</bind_addr>
<use_source_ip>no</use_source_ip>
<hidden>no</hidden>
</cluster>
Explanation of key parameters:
- name: The name of the cluster, which should be the same for all nodes in the cluster.
- node_name: A unique name for each node in the cluster (e.g., master-node, worker-node1).
- node_type: The type of the node, either master or worker.
- key: A shared secret key used for secure communication between the cluster nodes.
- port: The port used for cluster communication (default is 1516).
- bind_addr: The IP address the node should bind to for cluster communication.
- use_source_ip: Set to yes if you want to use the source IP of incoming connections for communication; otherwise, no.
- hidden: Whether or not to hide the node from agent lists.
4. Worker Node Configuration #
In a worker node, you configure it similarly to the master node, but set the node_type to worker:
<cluster>
<name>argus-cluster</name>
<node_name>worker-node1</node_name>
<node_type>worker</node_type>
<key>your-cluster-key</key>
<port>1516</port>
<bind_addr>192.168.1.101</bind_addr>
<hidden>no</hidden>
</cluster>
Ensure the name and key are the same as the master node to allow proper communication.
5. Advanced Cluster Configuration in cluster.conf #
The cluster.conf file, found in /var/ossec/etc/shared/, holds additional settings for the cluster operation:
<cluster>
<node>
<name>worker-node1</name>
<address>192.168.1.101</address>
</node>
<node>
<name>worker-node2</name>
<address>192.168.1.102</address>
</node>
</cluster>
In this file:
- name: The name of the worker node.
- address: The IP address of the worker node.
You can add as many worker nodes as you need in this file.
6. Synchronization and Data Flow #
Once the cluster is configured, worker nodes will handle log collection from agents and forward them to the master node. The master node will then analyze, decode, and apply rules to the logs.
The following elements are synchronized across the cluster:
- Agent information: Agent registration data, keys, and status are synchronized across all nodes.
- Rule updates: Any rule changes or updates made on the master node are pushed to worker nodes.
- Configuration files: Changes to configuration files (e.g., ossec.conf) are synchronized across all nodes.
7. Cluster Communication and Ports #
By default, the cluster communicates over TCP port 1516. You can change this in the ossec.conf file as needed.
Ensure that this port is open in your firewall settings to allow communication between the master and worker nodes.
8. Monitoring Cluster Status #
Once clustering is set up, you can monitor the cluster status via the Argus Dashboard or by checking the Argus logs.
- The master node will log cluster synchronization status, connection issues, and errors related to worker nodes.
- To monitor the cluster status, you can use the Argus Dashboard or check the logs in /var/ossec/logs/cluster.log.