You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current Wazuh persistence model doesn't work well in a cluster environment due to these limitations:
Scalability: because there's data in each Server, scaling up and down requires it to be recreated too often, leading to lower performance and bottlenecks.
Consistency: when an Agent connects to a different Server, its data must be recreated, leading to inconsistencies.
Analytics: creating dashboards and analytics using the Server's database is cumbersome for our current dashboard solutions which end up in an overly complicated RBAC solution.
Storage: Backups and replica options are cumbersome.
We want to leverage the Indexer as the data store. The Indexer architecture, based on OpenSearch, provides a scalable and replicated data store that might avoid the limitations above.
Data flow
The Agents acquire the data. These agents will send requests to the Agent comms API which will route the relevant information to each Server module. Server modules will process their information and update the Indexer with their results.
The load balancer will balance per request. This will force all the modules to be request-driven and require a distributed store with all the contextual information they might need to do their process. We might need to change some processes so they adapt better to the characteristics of Indexer (document-oriented, distributed, non-transactional store).
The current Wazuh Agent enrollment process is replaced with a standard token-based validation protocol. During the Wazuh agent deployment process, the agent will be registered using the /registration endpoint in the Server management API.
The Wazuh Agents' information is stored in the Indexer component.
At this point, the Agent can use its credentials to get and validate the authorization token used in the Agent comms API. This token is computationally validated on the server side and must be renewed before it expires with a /login request to the Agent comms API.
Each Agent will use the Agent comms API's /commands endpoint to poll for commands. Agents must maintain this polling at all times by sending the /commands request in case it drops.
Commands will be stored as an event stream in the Indexer. This stream will be continuously processed by the Commands manager as described in the diagram.
Some security modules require contextual data for their processing. Having this data in the Indexer will slow down their processing and increase the workload of the Indexer.
The Wazuh Indexer must make sure that all of its requirements are ready during its initialization.
The currently identified requirements are:
Streams indices, mappings, and ingest pipelines.
States indices, mappings, and ingest pipelines.
Agent list index, mappings, and ingest pipelines.
RBAC by default. Identify all necessary users and their minimum permissions.
Rollover + alias configuration for stream indices.
Stateful modules
The Agent comms API module in the Server updates the states in the Indexer based on stateful requests sent by Agents.
Commands
Every Agent must poll for commands using the /poll_commandsAgent comms API endpoint.
To send a command to an Agent you need to use the send_commandsAgent comms API endpoint.
During the send_commands endpoint processing, commands are sent to the Commands stream in the Indexer.
The Indexer must process the Commands stream and send the command execution to the Server node where the Agent /poll_commands request is made.
Non-functional requirements
Scalability. The system must handle a growing number of Agents and data without performance degradation.
Performance. The system must ensure low-latency data processing and communication between Agents and Servers. Indexer queries and updates should be optimized to handle high throughput.
Availability. The system must be highly available with minimal downtime. Indexer clusters should have redundancy and failover mechanisms.
Reliability. Data consistency and reliability must be maintained across all components. The system should guarantee the successful delivery and processing of data and commands.
Security. Access controls and authentication mechanisms must be enforced throughout the system.
Maintainability. Clear documentation and well-defined interfaces for components are necessary to facilitate development.
Manageability. The system should provide monitoring and alerting capabilities to track performance and health. Administrative tasks such as backups, scaling, and updates should be automated as much as possible.
Resource Efficiency. Efficient use of CPU, memory, and storage resources must be considered in the design.
Implementation restrictions
The Indexer initialization will be implemented via an Indexer plugin (Initialization plugin).
The Commands stream processing will be implemented via an Indexer plugin (Commands manager). The OpenSearch Job Scheduler plugin should be considered as a base for this.
Teams involved: @wazuh/devel-agent @wazuh/devel-pyserver @wazuh/devel-indexer @wazuh/devel-dashboard
Feature complete implementation.
Develop Indexer initialization plugin with: RBAC by default. Identify all necessary users and their minimum permissions. Rollover + alias configuration for stream indices.
Owner: @wazuh/devel-indexer
Teams involved: @wazuh/devel-indexer @wazuh/devel-pyserver
Develop Agent FIM and SCA module modifications.
Owner: @wazuh/devel-agent
Teams involved: @wazuh/devel-agent @wazuh/devel-pyserver @wazuh/devel-dashboard
Develop the rest of default commands use cases.
Owner: @wazuh/devel-agent
Teams involved: @wazuh/devel-agent @wazuh/devel-pyserver @wazuh/devel-cppserver @wazuh/devel-indexer @wazuh/devel-dashboard
Description
The current Wazuh persistence model doesn't work well in a cluster environment due to these limitations:
We want to leverage the Indexer as the data store. The Indexer architecture, based on OpenSearch, provides a scalable and replicated data store that might avoid the limitations above.
Data flow
The Agents acquire the data. These agents will send requests to the
Agent comms API
which will route the relevant information to each Server module. Server modules will process their information and update the Indexer with their results.After the implementation of:
The load balancer will balance per request. This will force all the modules to be request-driven and require a distributed store with all the contextual information they might need to do their process. We might need to change some processes so they adapt better to the characteristics of Indexer (document-oriented, distributed, non-transactional store).
Agent registration
The current Wazuh Agent enrollment process is replaced with a standard token-based validation protocol. During the Wazuh agent deployment process, the agent will be registered using the
/registration
endpoint in theServer management API
.The Wazuh Agents' information is stored in the Indexer component.
At this point, the Agent can use its credentials to get and validate the authorization token used in the
Agent comms API
. This token is computationally validated on the server side and must be renewed before it expires with a/login
request to theAgent comms API
.Stateful modules
Some Agent's modules generate events based on state changes. This state persists between agent restarts.
Every Agent is responsible for its own state.
Every Agent stateful module uses a specific
Agent comms API
endpoint.The currently identified stateful modules are:
Stateless modules
Every Agent stateless module uses a specific
Agent comms API
endpoint.Every Agent stateful event also generates a stateless event.
Agent commands
Each Agent will use the
Agent comms API
's/commands
endpoint to poll for commands. Agents must maintain this polling at all times by sending the/commands
request in case it drops.Commands will be stored as an event stream in the Indexer. This stream will be continuously processed by the
Commands manager
as described in the diagram.Challenges
Some security modules require contextual data for their processing. Having this data in the Indexer will slow down their processing and increase the workload of the Indexer.
Functional requirements
Agent registration
Stateless modules
Indexer initialization
Stateful modules
Agent comms API
module in the Server updates the states in the Indexer based onstateful
requests sent by Agents.Commands
/poll_commands
Agent comms API
endpoint.send_commands
Agent comms API
endpoint.send_commands
endpoint processing, commands are sent to theCommands stream
in the Indexer.Commands stream
and send the command execution to the Server node where the Agent/poll_commands
request is made.Non-functional requirements
Scalability. The system must handle a growing number of Agents and data without performance degradation.
Performance. The system must ensure low-latency data processing and communication between Agents and Servers. Indexer queries and updates should be optimized to handle high throughput.
Availability. The system must be highly available with minimal downtime. Indexer clusters should have redundancy and failover mechanisms.
Reliability. Data consistency and reliability must be maintained across all components. The system should guarantee the successful delivery and processing of data and commands.
Security. Access controls and authentication mechanisms must be enforced throughout the system.
Maintainability. Clear documentation and well-defined interfaces for components are necessary to facilitate development.
Manageability. The system should provide monitoring and alerting capabilities to track performance and health. Administrative tasks such as backups, scaling, and updates should be automated as much as possible.
Resource Efficiency. Efficient use of CPU, memory, and storage resources must be considered in the design.
Implementation restrictions
Plan
Spike. ETA 6/27/2024
MVP implementation.
Indexer initialization plugin wazuh-indexer-plugins#9
Data persistence model definition
Commands Manager plugin
Develop Agent Inventory module modifications wazuh-agent#15
Agent centralized configuration wazuh-agent#32
Feature complete implementation.
Develop Indexer initialization plugin with: RBAC by default. Identify all necessary users and their minimum permissions. Rollover + alias configuration for stream indices.
Develop Agent FIM and SCA module modifications.
Develop the rest of default commands use cases.
Integration (? weeks)
Acceptance testing. (2 weeks) @wazuh/devel-qa
benchmarking
limit testing
end-to-end testing @wazuh/devel-cloud @wazuh/devel-devops
Global queries for FIM and inventory data #20540
Functionality testing tier 1 wazuh-qa#4715
Index State Management default policy #18999
The text was updated successfully, but these errors were encountered: