Cluster management
The cluster_control tool allows you to obtain real-time information about the cluster health, connected nodes, and the agents reporting to the cluster. This information can also be obtained using the ThreatLockDown API cluster endpoints.
For example, the following snippet shows the connected nodes in the cluster:
# /var/ossec/bin/cluster_control -l
NAME TYPE VERSION ADDRESS
worker-1 worker 4.9.0 172.17.0.101
worker-2 worker 4.9.0 172.17.0.102
master master 4.9.0 172.17.0.100
This information can also be obtained using the ThreatLockDown API endpoint GET /cluster/nodes:
# curl -k -X GET "https://localhost:55000/cluster/nodes?pretty=true" -H "Authorization: Bearer $TOKEN"
{
"data": {
"affected_items": [
{
"ip": "192.168.56.103",
"version": "4.9.0",
"type": "worker",
"name": "node02",
},
{
"ip": "192.168.56.105",
"version": "4.9.0",
"type": "worker",
"name": "node03",
},
{
"ip": "192.168.56.101",
"version": "4.9.0",
"type": "master",
"name": "node01",
},
],
"total_affected_items": 3,
"total_failed_items": 0,
"failed_items": [],
},
"message": "All selected nodes information was returned",
"error": 0,
}
If you want to see more examples and check all its options, refer to the cluster_control manual or the cluster endpoints.
Upgrading from older versions
If you already have a cluster installation from a version older or equal to 3.2.2, you should do some changes to your cluster configuration:
Remove
<interval>section.Remove worker nodes from
<nodes>section. Only the master node is allowed.
The cluster will work with an old configuration but it is recommended to update it.