You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of the vulnerability detector refactor, the global vulnerability state will be consolidated by the API. If there's a Wazuh manager cluster running in the environment this will only be performed by the master node.
Wazuh manager will synchronize vulnerability state information to a specific Wazuh indexer index. In a Wazuh manager cluster scenario, the API will use the Wazuh agent connection information and vulnerability state indices to build the global vulnerability state.
Concepts:
Global vulnerability state. The global vulnerability state only contains the most up-to-date vulnerability information that belongs to agents registered in a Wazuh environment (considering active agents' information).
Functional requirements
Users will be able to search global vulnerability state information in a single Wazuh indexer index. Only if the vulnerability detector module is enabled.
Users will use the vulnerability detector placeholder setting to disable the global vulnerability state synchronization.
Users will be able to change the global state synchronization interval.
Non-functional requirements
Performance. API queries to both global.db and Wazuh indexer should be as performant as possible.
Performance. Capacity testing with 50K agents. 25 managers. 2 vd state changes per agent per second. 500 initial vd state elements per agent.
None of the implemented features will delay the Wazuh manager initialization process.
Implementation restrictions
Only execution errors will be logged. A significant delay will be considered an error (2m).
The Wazuh API will spawn a new child process in charge of the synchronization.
Wazuh API should be modified as little as possible.
To communicate with the Wazuh indexer API, the pip package opensearch-dsl will be used.
The synchronization interval minimum value should guarantee global.db and Wazuh indexer performance (10s).
The synchronization interval maximum value should guarantee that the global vulnerability state is usable (10m).
Wazuh indexer connection information will be fetched from the wazuh-connector configuration block in the ossec.conf file.
In a Wazuh manager cluster scenario, this synchronization will only take place in the master node.
The reindex API should be considered (all fields that may change should be hashed and stored in the document ID).
To clean deleted agents in the global vulnerability state index, a different, hardcoded interval (24h) will be used due to performance issues with global.db.
The global vulnerability index creation will be managed by the API. The name of the cluster will be wazuh-states-vulnerabilities-manager_cluster_name. If there's no cluster enabled we should use the default name as manager_cluster_name (wazuh?).
Description
As part of the vulnerability detector refactor, the global vulnerability state will be consolidated by the API. If there's a Wazuh manager cluster running in the environment this will only be performed by the master node.
Wazuh manager will synchronize vulnerability state information to a specific Wazuh indexer index. In a Wazuh manager cluster scenario, the API will use the Wazuh agent connection information and vulnerability state indices to build the global vulnerability state.
Concepts:
Functional requirements
placeholder
setting to disable the global vulnerability state synchronization.interval
.Non-functional requirements
Implementation restrictions
opensearch-dsl
will be used.wazuh-connector
configuration block in theossec.conf
file.reindex API
should be considered (all fields that may change should be hashed and stored in the document ID).wazuh-states-vulnerabilities-manager_cluster_name
. If there's no cluster enabled we should use the default name as manager_cluster_name (wazuh?).Plan
opensearch-py
in the embedded Python interpreter #23097RTM
placeholder
setting.interval
for global vulnerability state.opensearch-dsl
for communicating with the Wazuh indexer API.wazuh-connector
configuration block inossec.conf
.reindex API
to handle changes in the document ID.Approved by
The text was updated successfully, but these errors were encountered: